Vulnerability-Lookup

CVE-2026-27446 (GCVE-0-2026-27446)

Vulnerability from cvelistv5 – Published: 2026-03-04 08:48 – Updated: 2026-03-05 04:55

Title

Apache Artemis, Apache ActiveMQ Artemis: Auth bypass for Core downstream federation

Summary

Missing Authentication for Critical Function (CWE-306) vulnerability in Apache Artemis, Apache ActiveMQ Artemis. An unauthenticated remote attacker can use the Core protocol to force a target broker to establish an outbound Core federation connection to an attacker-controlled rogue broker. This could potentially result in message injection into any queue and/or message exfiltration from any queue via the rogue broker. This impacts environments that allow both: - incoming Core protocol connections from untrusted sources to the broker - outgoing Core protocol connections from the broker to untrusted targets This issue affects: - Apache Artemis from 2.50.0 through 2.51.0 - Apache ActiveMQ Artemis from 2.11.0 through 2.44.0. Users are recommended to upgrade to Apache Artemis version 2.52.0, which fixes the issue. The issue can be mitigated by either of the following: - Remove Core protocol support from any acceptor receiving connections from untrusted sources. Incoming Core protocol connections are supported by default via the "artemis" acceptor listening on port 61616. See the "protocols" URL parameter configured for the acceptor. An acceptor URL without this parameter supports all protocols by default, including Core. - Use two-way SSL (i.e. certificate-based authentication) in order to force every client to present the proper SSL certificate when establishing a connection before any message protocol handshake is attempted. This will prevent unauthenticated exploitation of this vulnerability.

Severity ?

9.3 (Critical)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L

CWE

CWE-306 - Missing Authentication for Critical Function

Assigner

apache

References

URL

Tags

https://lists.apache.org/thread/jwpsdc8tdxotm98od…

vendor-advisory

Impacted products

Vendor

Product

Version

Apache Software Foundation

Apache Artemis

Affected: 2.50.0 , ≤ 2.51.0 (semver)

Apache Software Foundation

Apache ActiveMQ Artemis

Affected: 2.11.0 , ≤ 2.44.0 (semver)

Credits

Hardik Mehta <mehtahardik@proton.me>

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-03-05T04:33:58.767Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/03/04/1"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/03/03/4"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-27446",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-04T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-05T04:55:45.957Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "org.apache.artemis:artemis-server",
          "product": "Apache Artemis",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "2.51.0",
              "status": "affected",
              "version": "2.50.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "org.apache.activemq:artemis-server",
          "product": "Apache ActiveMQ Artemis",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "2.44.0",
              "status": "affected",
              "version": "2.11.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Hardik Mehta \u003cmehtahardik@proton.me\u003e"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eMissing Authentication for Critical Function (CWE-306) vulnerability in Apache Artemis, Apache ActiveMQ Artemis. An unauthenticated remote attacker can use the Core protocol to force a target broker to establish an outbound Core federation connection to an attacker-controlled rogue broker. This could potentially result in message injection into any queue and/or message exfiltration from any queue via the rogue broker. This impacts environments that allow both:\u003c/p\u003e\u003cp\u003e- incoming Core protocol connections from untrusted sources to the broker\u003c/p\u003e\u003cp\u003e- outgoing Core protocol connections from the broker to untrusted targets\u003c/p\u003e\u003cp\u003eThis issue affects:\u003c/p\u003e\u003cp\u003e- Apache Artemis from 2.50.0 through 2.51.0\u003c/p\u003e\u003cp\u003e- Apache ActiveMQ Artemis from 2.11.0 through 2.44.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to Apache Artemis version 2.52.0, which fixes the issue.\u003c/p\u003e\u003cp\u003eThe issue can be mitigated by either of the following:\u003c/p\u003e\u003cp\u003e- Remove Core protocol support from any acceptor receiving connections from untrusted sources. Incoming Core protocol connections are supported by default via the \"artemis\" acceptor listening on port 61616. See the \"protocols\" URL parameter configured for the acceptor. An acceptor URL without this parameter supports all protocols by default, including Core.\u003c/p\u003e\u003cp\u003e- Use two-way SSL (i.e. certificate-based authentication) in order to force every client to present the proper SSL certificate when establishing a connection before any message protocol handshake is attempted. This will prevent unauthenticated exploitation of this vulnerability.\u003c/p\u003e"
            }
          ],
          "value": "Missing Authentication for Critical Function (CWE-306) vulnerability in Apache Artemis, Apache ActiveMQ Artemis. An unauthenticated remote attacker can use the Core protocol to force a target broker to establish an outbound Core federation connection to an attacker-controlled rogue broker. This could potentially result in message injection into any queue and/or message exfiltration from any queue via the rogue broker. This impacts environments that allow both:\n\n- incoming Core protocol connections from untrusted sources to the broker\n\n- outgoing Core protocol connections from the broker to untrusted targets\n\nThis issue affects:\n\n- Apache Artemis from 2.50.0 through 2.51.0\n\n- Apache ActiveMQ Artemis from 2.11.0 through 2.44.0.\n\nUsers are recommended to upgrade to Apache Artemis version 2.52.0, which fixes the issue.\n\nThe issue can be mitigated by either of the following:\n\n- Remove Core protocol support from any acceptor receiving connections from untrusted sources. Incoming Core protocol connections are supported by default via the \"artemis\" acceptor listening on port 61616. See the \"protocols\" URL parameter configured for the acceptor. An acceptor URL without this parameter supports all protocols by default, including Core.\n\n- Use two-way SSL (i.e. certificate-based authentication) in order to force every client to present the proper SSL certificate when establishing a connection before any message protocol handshake is attempted. This will prevent unauthenticated exploitation of this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "LOW",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "other": {
            "content": {
              "text": "critical"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-306",
              "description": "CWE-306 Missing Authentication for Critical Function",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-04T08:48:48.199Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/jwpsdc8tdxotm98od8n8n30fqlzoc8gg"
        }
      ],
      "source": {
        "defect": [
          "ARTEMIS-5928"
        ],
        "discovery": "EXTERNAL"
      },
      "title": "Apache Artemis, Apache ActiveMQ Artemis: Auth bypass for Core downstream federation",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-27446",
    "datePublished": "2026-03-04T08:48:48.199Z",
    "dateReserved": "2026-02-19T16:10:53.921Z",
    "dateUpdated": "2026-03-05T04:55:45.957Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-27446\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2026-03-04T09:15:56.837\",\"lastModified\":\"2026-03-11T15:15:37.153\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Missing Authentication for Critical Function (CWE-306) vulnerability in Apache Artemis, Apache ActiveMQ Artemis. An unauthenticated remote attacker can use the Core protocol to force a target broker to establish an outbound Core federation connection to an attacker-controlled rogue broker. This could potentially result in message injection into any queue and/or message exfiltration from any queue via the rogue broker. This impacts environments that allow both:\\n\\n- incoming Core protocol connections from untrusted sources to the broker\\n\\n- outgoing Core protocol connections from the broker to untrusted targets\\n\\nThis issue affects:\\n\\n- Apache Artemis from 2.50.0 through 2.51.0\\n\\n- Apache ActiveMQ Artemis from 2.11.0 through 2.44.0.\\n\\nUsers are recommended to upgrade to Apache Artemis version 2.52.0, which fixes the issue.\\n\\nThe issue can be mitigated by either of the following:\\n\\n- Remove Core protocol support from any acceptor receiving connections from untrusted sources. Incoming Core protocol connections are supported by default via the \\\"artemis\\\" acceptor listening on port 61616. See the \\\"protocols\\\" URL parameter configured for the acceptor. An acceptor URL without this parameter supports all protocols by default, including Core.\\n\\n- Use two-way SSL (i.e. certificate-based authentication) in order to force every client to present the proper SSL certificate when establishing a connection before any message protocol handshake is attempted. This will prevent unauthenticated exploitation of this vulnerability.\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad de Autenticaci\u00f3n Faltante para Funci\u00f3n Cr\u00edtica (CWE-306) en Apache Artemis, Apache ActiveMQ Artemis. Un atacante remoto no autenticado puede usar el protocolo Core para forzar a un broker objetivo a establecer una conexi\u00f3n de federaci\u00f3n Core saliente con un broker malicioso controlado por el atacante. Esto podr\u00eda resultar potencialmente en la inyecci\u00f3n de mensajes en cualquier cola y/o la exfiltraci\u00f3n de mensajes de cualquier cola a trav\u00e9s del broker malicioso. Esto afecta a entornos que permiten ambos:\\n\\n- conexiones de protocolo Core entrantes desde fuentes no confiables al broker\\n\\n- conexiones de protocolo Core salientes desde el broker a objetivos no confiables\\n\\nEste problema afecta a:\\n\\n- Apache Artemis desde 2.50.0 hasta 2.51.0\\n\\n- Apache ActiveMQ Artemis desde 2.11.0 hasta 2.44.0.\\n\\nSe recomienda a los usuarios actualizar a la versi\u00f3n 2.52.0 de Apache Artemis, que corrige el problema.\\n\\nEl problema puede mitigarse mediante cualquiera de las siguientes opciones:\\n\\n- Eliminar el soporte del protocolo Core de cualquier aceptor que reciba conexiones de fuentes no confiables. Las conexiones de protocolo Core entrantes son compatibles por defecto a trav\u00e9s del aceptor \u0027artemis\u0027 que escucha en el puerto 61616. Consulte el par\u00e1metro URL \u0027protocols\u0027 configurado para el aceptor. Una URL de aceptor sin este par\u00e1metro soporta todos los protocolos por defecto, incluyendo Core.\\n\\n- Usar SSL bidireccional (es decir, autenticaci\u00f3n basada en certificados) para forzar a cada cliente a presentar el certificado SSL adecuado al establecer una conexi\u00f3n antes de que se intente cualquier handshake de protocolo de mensajes. Esto evitar\u00e1 la explotaci\u00f3n no autenticada de esta vulnerabilidad.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":9.3,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"LOW\",\"subConfidentialityImpact\":\"LOW\",\"subIntegrityImpact\":\"LOW\",\"subAvailabilityImpact\":\"LOW\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-306\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:activemq_artemis:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.11.0\",\"versionEndIncluding\":\"2.44.0\",\"matchCriteriaId\":\"6BC62090-71FA-45A2-A519-B2C3B47D4262\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:artemis:2.50.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8AF62B6D-CD60-43D0-9740-AC011CC1FBFF\"}]}]}],\"references\":[{\"url\":\"https://lists.apache.org/thread/jwpsdc8tdxotm98od8n8n30fqlzoc8gg\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2026/03/03/4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2026/03/04/1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.openwall.com/lists/oss-security/2026/03/04/1\"}, {\"url\": \"http://www.openwall.com/lists/oss-security/2026/03/03/4\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2026-03-05T04:33:58.767Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-27446\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-04T18:54:49.382178Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-04T18:55:07.149Z\"}}], \"cna\": {\"title\": \"Apache Artemis, Apache ActiveMQ Artemis: Auth bypass for Core downstream federation\", \"source\": {\"defect\": [\"ARTEMIS-5928\"], \"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Hardik Mehta \u003cmehtahardik@proton.me\u003e\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 9.3, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"LOW\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"LOW\", \"vulnAvailabilityImpact\": \"LOW\", \"subConfidentialityImpact\": \"LOW\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}, {\"other\": {\"type\": \"Textual description of severity\", \"content\": {\"text\": \"critical\"}}}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache Artemis\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.50.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"2.51.0\"}], \"packageName\": \"org.apache.artemis:artemis-server\", \"collectionURL\": \"https://repo.maven.apache.org/maven2\", \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache ActiveMQ Artemis\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.11.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"2.44.0\"}], \"packageName\": \"org.apache.activemq:artemis-server\", \"collectionURL\": \"https://repo.maven.apache.org/maven2\", \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://lists.apache.org/thread/jwpsdc8tdxotm98od8n8n30fqlzoc8gg\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Missing Authentication for Critical Function (CWE-306) vulnerability in Apache Artemis, Apache ActiveMQ Artemis. An unauthenticated remote attacker can use the Core protocol to force a target broker to establish an outbound Core federation connection to an attacker-controlled rogue broker. This could potentially result in message injection into any queue and/or message exfiltration from any queue via the rogue broker. This impacts environments that allow both:\\n\\n- incoming Core protocol connections from untrusted sources to the broker\\n\\n- outgoing Core protocol connections from the broker to untrusted targets\\n\\nThis issue affects:\\n\\n- Apache Artemis from 2.50.0 through 2.51.0\\n\\n- Apache ActiveMQ Artemis from 2.11.0 through 2.44.0.\\n\\nUsers are recommended to upgrade to Apache Artemis version 2.52.0, which fixes the issue.\\n\\nThe issue can be mitigated by either of the following:\\n\\n- Remove Core protocol support from any acceptor receiving connections from untrusted sources. Incoming Core protocol connections are supported by default via the \\\"artemis\\\" acceptor listening on port 61616. See the \\\"protocols\\\" URL parameter configured for the acceptor. An acceptor URL without this parameter supports all protocols by default, including Core.\\n\\n- Use two-way SSL (i.e. certificate-based authentication) in order to force every client to present the proper SSL certificate when establishing a connection before any message protocol handshake is attempted. This will prevent unauthenticated exploitation of this vulnerability.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eMissing Authentication for Critical Function (CWE-306) vulnerability in Apache Artemis, Apache ActiveMQ Artemis. An unauthenticated remote attacker can use the Core protocol to force a target broker to establish an outbound Core federation connection to an attacker-controlled rogue broker. This could potentially result in message injection into any queue and/or message exfiltration from any queue via the rogue broker. This impacts environments that allow both:\u003c/p\u003e\u003cp\u003e- incoming Core protocol connections from untrusted sources to the broker\u003c/p\u003e\u003cp\u003e- outgoing Core protocol connections from the broker to untrusted targets\u003c/p\u003e\u003cp\u003eThis issue affects:\u003c/p\u003e\u003cp\u003e- Apache Artemis from 2.50.0 through 2.51.0\u003c/p\u003e\u003cp\u003e- Apache ActiveMQ Artemis from 2.11.0 through 2.44.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to Apache Artemis version 2.52.0, which fixes the issue.\u003c/p\u003e\u003cp\u003eThe issue can be mitigated by either of the following:\u003c/p\u003e\u003cp\u003e- Remove Core protocol support from any acceptor receiving connections from untrusted sources. Incoming Core protocol connections are supported by default via the \\\"artemis\\\" acceptor listening on port 61616. See the \\\"protocols\\\" URL parameter configured for the acceptor. An acceptor URL without this parameter supports all protocols by default, including Core.\u003c/p\u003e\u003cp\u003e- Use two-way SSL (i.e. certificate-based authentication) in order to force every client to present the proper SSL certificate when establishing a connection before any message protocol handshake is attempted. This will prevent unauthenticated exploitation of this vulnerability.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-306\", \"description\": \"CWE-306 Missing Authentication for Critical Function\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2026-03-04T08:48:48.199Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-27446\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-05T04:55:45.957Z\", \"dateReserved\": \"2026-02-19T16:10:53.921Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2026-03-04T08:48:48.199Z\", \"assignerShortName\": \"apache\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-FW88-PF9M-P947

Vulnerability from github – Published: 2026-03-04 09:31 – Updated: 2026-03-05 15:28

Summary

Apache Artemis and Apache ActiveMQ Artemis are Missing Authentication for Critical Functions

Details

Incoming Core protocol connections from untrusted sources to the broker
Outgoing Core protocol connections from the broker to untrusted targets

This issue affects:

Apache Artemis from 2.50.0 through 2.51.0
Apache ActiveMQ Artemis from 2.11.0 through 2.44.0.

Users are recommended to upgrade to Apache Artemis version 2.52.0, which fixes the issue.

The issue can be mitigated by either of the following:

Remove Core protocol support from any acceptor receiving connections from untrusted sources. Incoming Core protocol connections are supported by default via the "artemis" acceptor listening on port 61616. See the "protocols" URL parameter configured for the acceptor. An acceptor URL without this parameter supports all protocols by default, including Core.
Use two-way SSL (i.e. certificate-based authentication) in order to force every client to present the proper SSL certificate when establishing a connection before any message protocol handshake is attempted. This will prevent unauthenticated exploitation of this vulnerability.

Severity ?

9.3 (Critical)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.activemq:artemis-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.11.0"
            },
            {
              "last_affected": "2.44.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.artemis:artemis-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.50.0"
            },
            {
              "fixed": "2.52.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-27446"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-04T22:37:18Z",
    "nvd_published_at": "2026-03-04T09:15:56Z",
    "severity": "CRITICAL"
  },
  "details": "Missing Authentication for Critical Function (CWE-306) vulnerability in Apache Artemis, Apache ActiveMQ Artemis. An unauthenticated remote attacker can use the Core protocol to force a target broker to establish an outbound Core federation connection to an attacker-controlled rogue broker. This could potentially result in message injection into any queue and/or message exfiltration from any queue via the rogue broker. This impacts environments that allow both:\n\n- Incoming Core protocol connections from untrusted sources to the broker\n\n- Outgoing Core protocol connections from the broker to untrusted targets\n\nThis issue affects:\n\n- Apache Artemis from 2.50.0 through 2.51.0\n\n- Apache ActiveMQ Artemis from 2.11.0 through 2.44.0.\n\nUsers are recommended to upgrade to Apache Artemis version 2.52.0, which fixes the issue.\n\nThe issue can be mitigated by either of the following:\n\n- Remove Core protocol support from any acceptor receiving connections from untrusted sources. Incoming Core protocol connections are supported by default via the \"artemis\" acceptor listening on port 61616. See the \"protocols\" URL parameter configured for the acceptor. An acceptor URL without this parameter supports all protocols by default, including Core.\n\n- Use two-way SSL (i.e. certificate-based authentication) in order to force every client to present the proper SSL certificate when establishing a connection before any message protocol handshake is attempted. This will prevent unauthenticated exploitation of this vulnerability.",
  "id": "GHSA-fw88-pf9m-p947",
  "modified": "2026-03-05T15:28:06Z",
  "published": "2026-03-04T09:31:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27446"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/artemis"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/jwpsdc8tdxotm98od8n8n30fqlzoc8gg"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/03/03/4"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/03/04/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Apache Artemis and Apache ActiveMQ Artemis are Missing Authentication for Critical Functions"
}

FKIE_CVE-2026-27446

Vulnerability from fkie_nvd - Published: 2026-03-04 09:15 - Updated: 2026-03-11 15:15

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security@apache.org	https://lists.apache.org/thread/jwpsdc8tdxotm98od8n8n30fqlzoc8gg	Mailing List, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2026/03/03/4	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2026/03/04/1	Mailing List, Third Party Advisory

Impacted products

	Vendor	Product	Version
	apache	activemq_artemis	*
	apache	artemis	2.50.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:activemq_artemis:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "6BC62090-71FA-45A2-A519-B2C3B47D4262",
              "versionEndIncluding": "2.44.0",
              "versionStartIncluding": "2.11.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:artemis:2.50.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "8AF62B6D-CD60-43D0-9740-AC011CC1FBFF",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Missing Authentication for Critical Function (CWE-306) vulnerability in Apache Artemis, Apache ActiveMQ Artemis. An unauthenticated remote attacker can use the Core protocol to force a target broker to establish an outbound Core federation connection to an attacker-controlled rogue broker. This could potentially result in message injection into any queue and/or message exfiltration from any queue via the rogue broker. This impacts environments that allow both:\n\n- incoming Core protocol connections from untrusted sources to the broker\n\n- outgoing Core protocol connections from the broker to untrusted targets\n\nThis issue affects:\n\n- Apache Artemis from 2.50.0 through 2.51.0\n\n- Apache ActiveMQ Artemis from 2.11.0 through 2.44.0.\n\nUsers are recommended to upgrade to Apache Artemis version 2.52.0, which fixes the issue.\n\nThe issue can be mitigated by either of the following:\n\n- Remove Core protocol support from any acceptor receiving connections from untrusted sources. Incoming Core protocol connections are supported by default via the \"artemis\" acceptor listening on port 61616. See the \"protocols\" URL parameter configured for the acceptor. An acceptor URL without this parameter supports all protocols by default, including Core.\n\n- Use two-way SSL (i.e. certificate-based authentication) in order to force every client to present the proper SSL certificate when establishing a connection before any message protocol handshake is attempted. This will prevent unauthenticated exploitation of this vulnerability."
    },
    {
      "lang": "es",
      "value": "Vulnerabilidad de Autenticaci\u00f3n Faltante para Funci\u00f3n Cr\u00edtica (CWE-306) en Apache Artemis, Apache ActiveMQ Artemis. Un atacante remoto no autenticado puede usar el protocolo Core para forzar a un broker objetivo a establecer una conexi\u00f3n de federaci\u00f3n Core saliente con un broker malicioso controlado por el atacante. Esto podr\u00eda resultar potencialmente en la inyecci\u00f3n de mensajes en cualquier cola y/o la exfiltraci\u00f3n de mensajes de cualquier cola a trav\u00e9s del broker malicioso. Esto afecta a entornos que permiten ambos:\n\n- conexiones de protocolo Core entrantes desde fuentes no confiables al broker\n\n- conexiones de protocolo Core salientes desde el broker a objetivos no confiables\n\nEste problema afecta a:\n\n- Apache Artemis desde 2.50.0 hasta 2.51.0\n\n- Apache ActiveMQ Artemis desde 2.11.0 hasta 2.44.0.\n\nSe recomienda a los usuarios actualizar a la versi\u00f3n 2.52.0 de Apache Artemis, que corrige el problema.\n\nEl problema puede mitigarse mediante cualquiera de las siguientes opciones:\n\n- Eliminar el soporte del protocolo Core de cualquier aceptor que reciba conexiones de fuentes no confiables. Las conexiones de protocolo Core entrantes son compatibles por defecto a trav\u00e9s del aceptor \u0027artemis\u0027 que escucha en el puerto 61616. Consulte el par\u00e1metro URL \u0027protocols\u0027 configurado para el aceptor. Una URL de aceptor sin este par\u00e1metro soporta todos los protocolos por defecto, incluyendo Core.\n\n- Usar SSL bidireccional (es decir, autenticaci\u00f3n basada en certificados) para forzar a cada cliente a presentar el certificado SSL adecuado al establecer una conexi\u00f3n antes de que se intente cualquier handshake de protocolo de mensajes. Esto evitar\u00e1 la explotaci\u00f3n no autenticada de esta vulnerabilidad."
    }
  ],
  "id": "CVE-2026-27446",
  "lastModified": "2026-03-11T15:15:37.153",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 9.3,
          "baseSeverity": "CRITICAL",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "LOW",
          "subConfidentialityImpact": "LOW",
          "subIntegrityImpact": "LOW",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "LOW",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security@apache.org",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-04T09:15:56.837",
  "references": [
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List",
        "Vendor Advisory"
      ],
      "url": "https://lists.apache.org/thread/jwpsdc8tdxotm98od8n8n30fqlzoc8gg"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2026/03/03/4"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2026/03/04/1"
    }
  ],
  "sourceIdentifier": "security@apache.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-306"
        }
      ],
      "source": "security@apache.org",
      "type": "Secondary"
    }
  ]
}

RHSA-2026:3957

Vulnerability from csaf_redhat - Published: 2026-03-06 06:15 - Updated: 2026-03-13 18:23

Summary

Red Hat Security Advisory: Red Hat AMQ Broker 7.13.4 release and security update

Notes

Topic

Red Hat AMQ Broker 7.13.4 is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details

AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms. This release of Red Hat AMQ Broker 7.13.4 includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section. Security Fix(es): * (CVE-2026-27446) artemis-server: Apache Artemis, Apache ActiveMQ Artemis: Message injection and exfiltration due to missing authentication For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Red Hat AMQ Broker 7.13.4 is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms.\n\nThis release of Red Hat AMQ Broker 7.13.4 includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.\n\nSecurity Fix(es):\n\n* (CVE-2026-27446) artemis-server: Apache Artemis, Apache ActiveMQ Artemis: Message injection and exfiltration due to missing authentication\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:3957",
        "url": "https://access.redhat.com/errata/RHSA-2026:3957"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification#important",
        "url": "https://access.redhat.com/security/updates/classification#important"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=jboss.amq.broker\u0026version=7.13.4",
        "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=jboss.amq.broker\u0026version=7.13.4"
      },
      {
        "category": "external",
        "summary": "https://docs.redhat.com/en/documentation/red_hat_amq_broker/7.13",
        "url": "https://docs.redhat.com/en/documentation/red_hat_amq_broker/7.13"
      },
      {
        "category": "external",
        "summary": "2444320",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2444320"
      },
      {
        "category": "external",
        "summary": "ENTMQBR-10250",
        "url": "https://issues.redhat.com/browse/ENTMQBR-10250"
      },
      {
        "category": "external",
        "summary": "ENTMQBR-10256",
        "url": "https://issues.redhat.com/browse/ENTMQBR-10256"
      },
      {
        "category": "external",
        "summary": "ENTMQBR-10317",
        "url": "https://issues.redhat.com/browse/ENTMQBR-10317"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_3957.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat AMQ Broker 7.13.4 release and security update",
    "tracking": {
      "current_release_date": "2026-03-13T18:23:43+00:00",
      "generator": {
        "date": "2026-03-13T18:23:43+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.7.3"
        }
      },
      "id": "RHSA-2026:3957",
      "initial_release_date": "2026-03-06T06:15:07+00:00",
      "revision_history": [
        {
          "date": "2026-03-06T06:15:07+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-03-06T06:15:07+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-03-13T18:23:43+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat AMQ Broker 7.13.4",
                "product": {
                  "name": "Red Hat AMQ Broker 7.13.4",
                  "product_id": "Red Hat AMQ Broker 7.13.4",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:amq_broker:7.13"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss AMQ"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-27446",
      "cwe": {
        "id": "CWE-306",
        "name": "Missing Authentication for Critical Function"
      },
      "discovery_date": "2026-03-04T07:02:26.064000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2444320"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Apache Artemis and Apache ActiveMQ Artemis. An unauthenticated remote attacker can exploit a missing authentication for critical function vulnerability by using the Core protocol. This allows the attacker to force a target broker to establish an outbound Core federation connection to an attacker-controlled rogue broker. The primary consequence is the potential for message injection into any queue and/or message exfiltration from any queue via the rogue broker.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "org.apache.artemis:artemis-server: org.apache.activemq:artemis-server: Apache Artemis, Apache ActiveMQ Artemis: Message injection and exfiltration due to missing authentication",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This IMPORTANT vulnerability in Apache Artemis and Apache ActiveMQ Artemis allows an unauthenticated remote attacker to inject or exfiltrate messages by forcing a target broker to establish an outbound Core federation connection to an attacker-controlled rogue broker.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat AMQ Broker 7.13.4"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-27446"
        },
        {
          "category": "external",
          "summary": "RHBZ#2444320",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2444320"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-27446",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-27446"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27446",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27446"
        },
        {
          "category": "external",
          "summary": "https://lists.apache.org/thread/jwpsdc8tdxotm98od8n8n30fqlzoc8gg",
          "url": "https://lists.apache.org/thread/jwpsdc8tdxotm98od8n8n30fqlzoc8gg"
        }
      ],
      "release_date": "2026-03-04T06:06:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-03-06T06:15:07+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat AMQ Broker 7.13.4"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:3957"
        },
        {
          "category": "workaround",
          "details": "To mitigate this issue, restrict Core protocol support on acceptors receiving connections from untrusted sources. The default \"artemis\" acceptor on port 61616 supports all protocols, including Core. Modify the acceptor URL to explicitly exclude the Core protocol using the \"protocols\" URL parameter. Alternatively, configure two-way SSL with certificate-based authentication to prevent unauthenticated exploitation. A service restart or reload may be required for changes to take effect.",
          "product_ids": [
            "Red Hat AMQ Broker 7.13.4"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat AMQ Broker 7.13.4"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "org.apache.artemis:artemis-server: org.apache.activemq:artemis-server: Apache Artemis, Apache ActiveMQ Artemis: Message injection and exfiltration due to missing authentication"
    }
  ]
}

RHSA-2026:3955

Vulnerability from csaf_redhat - Published: 2026-03-05 21:59 - Updated: 2026-03-13 18:23

Summary

Red Hat Security Advisory: Red Hat AMQ Broker 7.12.6 release and security update

Notes

Topic

Red Hat AMQ Broker 7.12.6 is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details

AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms. This release of Red Hat AMQ Broker 7.12.6 includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section. Security Fix(es): * (CVE-2026-27446) artemis-server: Apache Artemis, Apache ActiveMQ Artemis: Message injection and exfiltration due to missing authentication For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Red Hat AMQ Broker 7.12.6 is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms.\n\nThis release of Red Hat AMQ Broker 7.12.6 includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.\n\nSecurity Fix(es):\n\n* (CVE-2026-27446) artemis-server: Apache Artemis, Apache ActiveMQ Artemis: Message injection and exfiltration due to missing authentication\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:3955",
        "url": "https://access.redhat.com/errata/RHSA-2026:3955"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification#important",
        "url": "https://access.redhat.com/security/updates/classification#important"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=jboss.amq.broker\u0026version=7.12.6",
        "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=jboss.amq.broker\u0026version=7.12.6"
      },
      {
        "category": "external",
        "summary": "https://docs.redhat.com/en/documentation/red_hat_amq_broker/7.12",
        "url": "https://docs.redhat.com/en/documentation/red_hat_amq_broker/7.12"
      },
      {
        "category": "external",
        "summary": "2444320",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2444320"
      },
      {
        "category": "external",
        "summary": "ENTMQBR-10147",
        "url": "https://issues.redhat.com/browse/ENTMQBR-10147"
      },
      {
        "category": "external",
        "summary": "ENTMQBR-10166",
        "url": "https://issues.redhat.com/browse/ENTMQBR-10166"
      },
      {
        "category": "external",
        "summary": "ENTMQBR-10169",
        "url": "https://issues.redhat.com/browse/ENTMQBR-10169"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_3955.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat AMQ Broker 7.12.6 release and security update",
    "tracking": {
      "current_release_date": "2026-03-13T18:23:43+00:00",
      "generator": {
        "date": "2026-03-13T18:23:43+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.7.3"
        }
      },
      "id": "RHSA-2026:3955",
      "initial_release_date": "2026-03-05T21:59:31+00:00",
      "revision_history": [
        {
          "date": "2026-03-05T21:59:31+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-03-05T21:59:31+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-03-13T18:23:43+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat AMQ Broker 7.12.6",
                "product": {
                  "name": "Red Hat AMQ Broker 7.12.6",
                  "product_id": "Red Hat AMQ Broker 7.12.6",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:amq_broker:7.12"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss AMQ"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-27446",
      "cwe": {
        "id": "CWE-306",
        "name": "Missing Authentication for Critical Function"
      },
      "discovery_date": "2026-03-04T07:02:26.064000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2444320"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Apache Artemis and Apache ActiveMQ Artemis. An unauthenticated remote attacker can exploit a missing authentication for critical function vulnerability by using the Core protocol. This allows the attacker to force a target broker to establish an outbound Core federation connection to an attacker-controlled rogue broker. The primary consequence is the potential for message injection into any queue and/or message exfiltration from any queue via the rogue broker.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "org.apache.artemis:artemis-server: org.apache.activemq:artemis-server: Apache Artemis, Apache ActiveMQ Artemis: Message injection and exfiltration due to missing authentication",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This IMPORTANT vulnerability in Apache Artemis and Apache ActiveMQ Artemis allows an unauthenticated remote attacker to inject or exfiltrate messages by forcing a target broker to establish an outbound Core federation connection to an attacker-controlled rogue broker.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat AMQ Broker 7.12.6"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-27446"
        },
        {
          "category": "external",
          "summary": "RHBZ#2444320",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2444320"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-27446",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-27446"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27446",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27446"
        },
        {
          "category": "external",
          "summary": "https://lists.apache.org/thread/jwpsdc8tdxotm98od8n8n30fqlzoc8gg",
          "url": "https://lists.apache.org/thread/jwpsdc8tdxotm98od8n8n30fqlzoc8gg"
        }
      ],
      "release_date": "2026-03-04T06:06:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-03-05T21:59:31+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat AMQ Broker 7.12.6"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:3955"
        },
        {
          "category": "workaround",
          "details": "To mitigate this issue, restrict Core protocol support on acceptors receiving connections from untrusted sources. The default \"artemis\" acceptor on port 61616 supports all protocols, including Core. Modify the acceptor URL to explicitly exclude the Core protocol using the \"protocols\" URL parameter. Alternatively, configure two-way SSL with certificate-based authentication to prevent unauthenticated exploitation. A service restart or reload may be required for changes to take effect.",
          "product_ids": [
            "Red Hat AMQ Broker 7.12.6"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat AMQ Broker 7.12.6"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "org.apache.artemis:artemis-server: org.apache.activemq:artemis-server: Apache Artemis, Apache ActiveMQ Artemis: Message injection and exfiltration due to missing authentication"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-27446 (GCVE-0-2026-27446)

GHSA-FW88-PF9M-P947

FKIE_CVE-2026-27446

RHSA-2026:3957

RHSA-2026:3955

Tags

Sightings

Nomenclature