CVE-2026-32642 Overview
CVE-2026-32642 is an Incorrect Authorization vulnerability (CWE-863) affecting Apache Artemis and Apache ActiveMQ Artemis. The vulnerability exists when an application using the OpenWire protocol attempts to create a non-durable JMS topic subscription on an address that doesn't exist. The issue occurs with an authenticated user who has the createDurableQueue permission but lacks the createAddress permission when address auto-creation is disabled.
In this circumstance, a temporary address will be created when the attempt should instead fail since the user is not authorized to create the corresponding address. When the OpenWire connection is closed, the address is removed.
Critical Impact
Authenticated users with limited permissions can bypass authorization controls to create temporary addresses on Apache Artemis message brokers, potentially allowing unauthorized queue/topic manipulation.
Affected Products
- Apache Artemis versions 2.50.0 through 2.52.0
- Apache ActiveMQ Artemis versions 2.0.0 through 2.44.0
Discovery Timeline
- 2026-03-24 - CVE CVE-2026-32642 published to NVD
- 2026-03-24 - Last updated in NVD database
Technical Details for CVE-2026-32642
Vulnerability Analysis
This authorization bypass vulnerability stems from improper permission validation in the OpenWire protocol handler within Apache Artemis. When a user with the createDurableQueue permission attempts to create a non-durable JMS topic subscription on a non-existent address, the system fails to properly validate that the user also possesses the createAddress permission.
The vulnerability specifically manifests when address auto-creation is disabled in the broker configuration. Under these conditions, the system should deny the request entirely since the user lacks authority to create the underlying address. However, the flawed authorization logic allows a temporary address to be created, effectively bypassing the intended security controls.
The temporary nature of the created address—it is removed when the OpenWire connection closes—limits the persistence of the bypass but still represents a clear violation of the configured authorization model.
Root Cause
The root cause is an Incorrect Authorization check (CWE-863) in the OpenWire protocol handling code. The authorization logic incorrectly allows address creation when processing non-durable topic subscription requests, even when the authenticated user only has createDurableQueue permission without the corresponding createAddress permission. This represents a gap in the permission validation flow that should enforce both permissions for the operation to succeed.
Attack Vector
The attack requires network access to an Apache Artemis or Apache ActiveMQ Artemis broker with the following conditions:
- The attacker must be an authenticated user with createDurableQueue permission
- The attacker must NOT have createAddress permission
- Address auto-creation must be disabled on the broker
- The attacker connects using the OpenWire protocol
- The attacker attempts to create a non-durable JMS topic subscription on a non-existent address
Upon successful exploitation, a temporary address is created despite the user lacking proper authorization. The address persists until the OpenWire connection is closed. This could allow attackers to temporarily manipulate messaging infrastructure in ways the security policy was designed to prevent.
Detection Methods for CVE-2026-32642
Indicators of Compromise
- Unexpected temporary addresses appearing in Apache Artemis broker logs
- Address creation events from users who should only have createDurableQueue permissions
- OpenWire protocol connections followed by address creation without proper authorization
- Audit log entries showing address creation and immediate deletion patterns
Detection Strategies
- Enable detailed authorization logging in Apache Artemis to capture permission check events
- Monitor for address creation events from users with limited permission sets
- Implement alerting for OpenWire protocol activity associated with address manipulation
- Review broker audit logs for patterns of temporary address creation and deletion
Monitoring Recommendations
- Configure Apache Artemis security audit logging to capture all authorization decisions
- Set up monitoring for unusual patterns in address lifecycle events
- Implement network monitoring for OpenWire protocol traffic to affected brokers
- Establish baseline metrics for address creation activity to identify anomalies
How to Mitigate CVE-2026-32642
Immediate Actions Required
- Upgrade Apache Artemis to version 2.53.0 or later immediately
- For Apache ActiveMQ Artemis, apply the latest security patches from Apache
- Review current user permissions and remove unnecessary createDurableQueue permissions where possible
- Enable enhanced audit logging to detect potential exploitation attempts
Patch Information
Users are recommended to upgrade to Apache Artemis version 2.53.0, which fixes this authorization bypass issue. The patch addresses the permission validation logic in the OpenWire protocol handler to properly enforce the createAddress permission requirement.
For detailed patch information, refer to the Apache Security Discussion and the OpenWall OSS-Security Update.
Workarounds
- Restrict createDurableQueue permissions to only trusted users who also have createAddress permissions
- Enable address auto-creation as a temporary measure (note: this changes the security model)
- Implement network segmentation to limit access to the OpenWire protocol endpoint
- Consider disabling OpenWire protocol if not required and use alternative protocols
# Configuration example - Restrict user permissions in broker.xml
# Ensure users with createDurableQueue also have createAddress or remove the permission
# Example security-settings in broker.xml:
# <security-setting match="#">
# <permission type="createDurableQueue" roles="admin"/>
# <permission type="createAddress" roles="admin"/>
# </security-setting>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
