CVE-2026-49877 PUBLISHED

Apache ActiveMQ: Authenticated web users retain admin access by default in the Web Console

Assigner: apache
Reserved: 02.06.2026 Published: 30.06.2026 Updated: 30.06.2026

Improper Authorization vulnerability in Apache ActiveMQ.

An authenticated low-privilege Web Console user by default can access /admin/* paths in the Web Console. The default Jetty settings incorrectly did not limit those paths to only admins. This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7.

Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.

Product Status

Vendor	Apache Software Foundation
Product	Apache ActiveMQ
Versions	Default: unaffected affected from 0 to 5.19.8 (excl.) affected from 6.0.0 to 6.2.7 (excl.)

Credits

Leon Johnson (github: lokerxx) finder

References

https://lists.apache.org/thread/w82vtc3q02j5ot94tnyy1197y3wb98hl

Problem Types

CWE-285 Improper Authorization CWE