CVE-2026-49157 Overview
CVE-2026-49157 is an Incorrect Default Permissions vulnerability [CWE-276] in Apache ActiveMQ. The flaw stems from the default Jolokia authorization configuration, which granted non-admin web-login accounts access to Jolokia operations reserved for administrators. Authenticated low-privilege users could invoke broker management operations such as addQueue and removeQueue against the message broker.
The issue affects Apache ActiveMQ versions before 5.19.7 and versions 6.0.0 through 6.2.5. The Apache ActiveMQ project has released fixed versions 5.19.7 and 6.2.6.
Critical Impact
Authenticated low-privilege users can execute broker administrative operations through Jolokia, leading to message queue manipulation, service disruption, and potential broker compromise.
Affected Products
- Apache ActiveMQ versions prior to 5.19.7
- Apache ActiveMQ versions 6.0.0 through 6.2.5
- Deployments exposing the Jolokia HTTP/JMX bridge with default authorization settings
Discovery Timeline
- 2026-06-01 - CVE-2026-49157 published to NVD
- 2026-06-01 - Last updated in NVD database
Technical Details for CVE-2026-49157
Vulnerability Analysis
Apache ActiveMQ ships with a Jolokia endpoint that exposes the broker's JMX MBeans over HTTP. Jolokia operations include privileged broker management actions such as creating and removing queues, purging messages, and altering broker configuration.
The default Jolokia authorization policy shipped with affected versions mapped low-privilege web-login roles to operations that should be limited to administrators. Any authenticated account capable of logging into the ActiveMQ web console could invoke these operations through Jolokia, regardless of intended role separation.
Successful exploitation impacts confidentiality, integrity, and availability: an attacker can inspect broker internals, delete or recreate queues, and disrupt downstream consumers that depend on message ordering or delivery.
Root Cause
The root cause is an overly permissive default access control list in the Jolokia configuration. The policy did not restrict broker mutation operations such as addQueue and removeQueue to administrative roles, violating least-privilege design [CWE-276].
Attack Vector
The attack vector is network-based and requires low-privilege authentication. An attacker with a valid non-admin web-login account sends HTTP requests to the Jolokia endpoint, typically reachable at /api/jolokia/ on the ActiveMQ web console. The attacker invokes JMX operations on broker MBeans to manage queues and other resources.
No verified public proof-of-concept exploit code is available at publication time. For technical detail, refer to the Apache Mailing List Thread and the OpenWall OSS Security Update.
Detection Methods for CVE-2026-49157
Indicators of Compromise
- HTTP POST requests to /api/jolokia/ or /hawtio/jolokia/ from non-administrative user sessions invoking exec operations on org.apache.activemq:type=Broker MBeans.
- Unexpected creation or removal of queues and topics correlated with broker audit.log entries attributing the action to a non-admin principal.
- Jolokia requests referencing operations such as addQueue, removeQueue, purge, or removeTopic outside scheduled administrative windows.
Detection Strategies
- Review ActiveMQ audit.log and Jetty access logs for Jolokia calls invoking management operations and cross-reference the requesting principal against the administrator role list.
- Alert on HTTP requests to Jolokia endpoints that include type=exec payloads targeting broker MBeans, especially from accounts not present in the admins group.
- Compare the current queue inventory to a known-good baseline and flag unauthorized additions or deletions.
Monitoring Recommendations
- Forward ActiveMQ broker logs and Jetty access logs to a centralized SIEM and enable retention sufficient to investigate historical Jolokia activity.
- Monitor the broker's JMX notification stream for QueueAdded and QueueRemoved events and correlate with authenticated session identifiers.
- Track authentication events to the ActiveMQ web console and alert on low-privilege accounts performing administrative API calls.
How to Mitigate CVE-2026-49157
Immediate Actions Required
- Upgrade Apache ActiveMQ to version 6.2.6 or 5.19.7, which ship with corrected default Jolokia authorization settings.
- Audit existing web-login accounts and remove or downgrade any non-administrative accounts that are no longer required.
- Restrict network exposure of the ActiveMQ web console and Jolokia endpoint to trusted management networks only.
Patch Information
The Apache ActiveMQ project resolved CVE-2026-49157 in versions 5.19.7 and 6.2.6. The fix tightens the default Jolokia authorization policy so that broker mutation operations require administrative privileges. Release details are available in the Apache Mailing List Thread.
Workarounds
- Override the default jolokia-access.xml policy to explicitly deny exec operations on broker MBeans for non-admin roles until upgrade is complete.
- Place the ActiveMQ web console behind a reverse proxy that enforces additional authorization checks on /api/jolokia/ paths.
- Disable the Jolokia servlet entirely if it is not required by removing or commenting the Jolokia mapping in the jetty.xml configuration.
# Example: disable Jolokia access for non-admin roles in jolokia-access.xml
# Place this file at $ACTIVEMQ_HOME/conf/jolokia-access.xml
<restrict>
<commands>
<command>exec</command>
</commands>
<allow>
<role>admins</role>
</allow>
</restrict>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
