CVE-2026-49877 - Vulnerability Details - OpenCVE

Improper Authorization vulnerability in Apache ActiveMQ. An authenticated low-privilege Web Console user by default can access /admin/* paths in the Web Console. The default Jetty settings incorrectly did not limit those paths to only admins. This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7. Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

References

Link	Providers
https://lists.apache.org/thread/w82vtc3q02j5ot94tnyy1197y3wb98hl

History

Tue, 30 Jun 2026 10:45:00 +0000

Type	Values Removed	Values Added
Description		Improper Authorization vulnerability in Apache ActiveMQ. An authenticated low-privilege Web Console user by default can access /admin/* paths in the Web Console. The default Jetty settings incorrectly did not limit those paths to only admins. This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7. Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.
Title		Apache ActiveMQ: Authenticated web users retain admin access by default in the Web Console
Weaknesses		CWE-285
References		https://lists.apache.org/thread/w82vtc3q02j5ot94tnyy1197y3wb98hl

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2026-06-30T09:53:42.706Z

Updated: 2026-06-30T11:06:09.219Z

Reserved: 2026-06-02T13:37:55.228Z

Link: CVE-2026-49877

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-49877", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-06-02T13:37:55.228Z", "datePublished": "2026-06-30T09:53:42.706Z", "dateUpdated": "2026-06-30T11:06:09.219Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "org.apache.activemq:apache-activemq", "product": "Apache ActiveMQ", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "5.19.8", "status": "affected", "version": "0", "versionType": "semver"}, {"lessThan": "6.2.7", "status": "affected", "version": "6.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Leon Johnson (github: lokerxx)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Improper Authorization vulnerability in Apache ActiveMQ.</p><span style=\"background-color: rgb(255, 255, 255);\">An authenticated low-privilege Web Console user by default can access /admin/* paths in the Web Console. The default Jetty settings incorrectly did not limit those paths to only admins.</span><br><p>This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7.</p><p>Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.</p>"}], "value": "Improper Authorization vulnerability in Apache ActiveMQ.\n\nAn authenticated low-privilege Web Console user by default can access /admin/* paths in the Web Console. The default Jetty settings incorrectly did not limit those paths to only admins.\nThis issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7.\n\nUsers are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue."}], "metrics": [{"other": {"content": {"text": "important"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "description": "CWE-285 Improper Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-06-30T09:53:42.706Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/w82vtc3q02j5ot94tnyy1197y3wb98hl"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache ActiveMQ: Authenticated web users retain admin access by default in the Web Console", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/06/29/9"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-06-30T11:06:09.219Z"}}]}}