8.8
CVE-2026-49157
- EPSS 0.42%
- Veröffentlicht 01.06.2026 09:16:20
- Zuletzt bearbeitet 01.06.2026 17:09:59
- Quelle security@apache.org
- CVE-Watchlists
- Unerledigt
Apache ActiveMQ: Authenticated low-privilege Web users retain Jolokia broker-management capability by default
Incorrect Default Permissions vulnerability in Apache ActiveMQ. This issue affects Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6. The default Jolokia authorization settings granted non-admin (low-privilege) web-login accounts access to Jolokia operations which allowed executing broker management operations meant for admins such as addQueue and removeQueue. Users are recommended to upgrade to version 6.2.6 or 5.19.7, which fixes the issue.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.42% | 0.338 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
CWE-276 Incorrect Default Permissions
During installation, installed file permissions are set to allow anyone to modify those files.
https://lists.apache.org/thread/rrcsf6s90hj4tdh89nvkko75q5505rj8
http://www.openwall.com/lists/oss-security/2026/05/31/21