CVE-2026-46605: Apache ActiveMQ Auth Bypass Vulnerability

CVE-2026-46605 Overview

CVE-2026-46605 is an incomplete authorization vulnerability in Apache ActiveMQ that allows authenticated users to remove existing destinations when they should not have that capability. The flaw, classified under [CWE-285] Improper Authorization, affects Apache ActiveMQ Broker versions before 5.19.7 and 6.0.0 through 6.2.5. An attacker with valid broker credentials can abuse permissions checks to delete queues or topics, disrupting messaging operations.

Critical Impact

Authenticated attackers can remove existing ActiveMQ destinations, causing message loss and integrity disruption for applications relying on the broker.

Affected Products

• Apache ActiveMQ Broker before 5.19.7
• Apache ActiveMQ Broker from 6.0.0 before 6.2.6
• Apache ActiveMQ (All distributions) in the same affected ranges

Discovery Timeline

• 2026-06-01 - CVE-2026-46605 published to NVD
• 2026-06-01 - Last updated in NVD database

Technical Details for CVE-2026-46605

Vulnerability Analysis

Apache ActiveMQ is a widely deployed open-source message broker supporting JMS, AMQP, MQTT, and STOMP protocols. The broker enforces fine-grained authorization policies that govern which authenticated principals can create, read, write, or delete destinations such as queues and topics.

In affected versions, the authorization layer fails to fully validate destination removal operations. Authenticated connections can issue commands that remove existing destinations even when their assigned permissions should restrict that action. The result is a confidentiality-neutral, availability-impacting flaw that lets low-privileged users disrupt messaging workloads.

The attack does not require user interaction and is exploitable remotely against any ActiveMQ broker reachable over the network. Successful exploitation deletes destinations along with any persisted messages, breaking downstream consumers and producers.

Root Cause

The root cause is an incomplete authorization check in the destination management path. The broker validates that the principal is authenticated and holds some permission on the destination, but it does not enforce the specific delete or admin privilege required for removal. This gap aligns with [CWE-285] Improper Authorization.

Attack Vector

Exploitation requires network access to the broker and a valid set of credentials with at least minimal permissions on a destination. The attacker connects through any supported transport, then issues a remove-destination management command. Because the authorization layer accepts the request, the broker deletes the destination without raising an access-denied error.

No verified public proof-of-concept code is available. See the Apache Security Mailing List Thread and the Openwall OSS Security Update for advisory details.

Detection Methods for CVE-2026-46605

Indicators of Compromise

• Unexpected RemoveDestination or removeQueue / removeTopic JMX or advisory events in ActiveMQ logs.
• Sudden disappearance of queues or topics with no corresponding administrative change ticket.
• Authenticated broker sessions from low-privilege accounts performing destination management operations outside normal patterns.

Detection Strategies

• Enable ActiveMQ audit logging and forward broker logs to a centralized analytics platform to alert on destination removal events.
• Correlate broker authentication logs with destination lifecycle events to identify which principal initiated each removal.
• Baseline normal destination churn per environment and alert on anomalous spikes in remove operations.

Monitoring Recommendations

• Monitor the ActiveMQ.Advisory.Connection and ActiveMQ.Advisory.Queue / ActiveMQ.Advisory.Topic advisory topics for delete activity.
• Track JMX removeQueue and removeTopic invocations on the broker MBean.
• Alert on authentication followed quickly by destination removal from non-administrative service accounts.

How to Mitigate CVE-2026-46605

Immediate Actions Required

• Upgrade Apache ActiveMQ to version 5.19.7 or 6.2.6, which contain the authorization fix.
• Inventory all ActiveMQ Broker instances, including embedded deployments inside other Java applications.
• Review broker authentication plugins and rotate credentials for any account suspected of misuse.

Patch Information

Apache has released fixed versions 5.19.7 and 6.2.6. Refer to the Apache Security Mailing List Thread for the official advisory and upgrade guidance.

Workarounds

• Restrict network access to broker management ports using firewall rules or service mesh policies.
• Tighten authorizationPlugin entries in activemq.xml so only dedicated administrative principals hold admin rights on destinations.
• Remove unused broker accounts and enforce strong, unique credentials for remaining authenticated clients.

# Configuration example: restrict admin rights on destinations in activemq.xml
# Only the 'brokerAdmins' group can administer (create/remove) destinations.
# Application accounts get read/write only.
#
# <authorizationPlugin>
#   <map>
#     <authorizationMap>
#       <authorizationEntries>
#         <authorizationEntry queue=">"
#                             read="appUsers"
#                             write="appUsers"
#                             admin="brokerAdmins"/>
#         <authorizationEntry topic=">"
#                             read="appUsers"
#                             write="appUsers"
#                             admin="brokerAdmins"/>
#       </authorizationEntries>
#     </authorizationMap>
#   </map>
# </authorizationPlugin>