CVE-2026-54475 PUBLISHED

Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Temporary destination ownership takeover

Assigner: apache
Reserved: 15.06.2026 Published: 30.06.2026 Updated: 30.06.2026

Missing Authorization vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ.

Apache ActiveMQ Classic temporary destinations are expected to be isolated to the connection that created them. The isolation can be broken as this is only checked in the client, allowing a different connection to consume from another connection's temporary destination. This issue affects Apache ActiveMQ Broker: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7.

Users are recommended to upgrade to version 6.2.7, which fixes the issue.

Product Status

Vendor Apache Software Foundation
Product Apache ActiveMQ Broker
Versions Default: unaffected
  • affected from 0 to 5.19.8 (excl.)
  • affected from 6.0.0 to 6.2.7 (excl.)
Vendor Apache Software Foundation
Product Apache ActiveMQ All
Versions Default: unaffected
  • affected from 0 to 5.19.8 (excl.)
  • affected from 6.0.0 to 6.2.7 (excl.)
Vendor Apache Software Foundation
Product Apache ActiveMQ
Versions Default: unaffected
  • affected from 0 to 5.19.8 (excl.)
  • affected from 6.0.0 to 6.2.7 (excl.)

Credits

  • Leon Johnson (github: lokerxx) finder

References

Problem Types

  • CWE-862 Missing Authorization CWE