CVE-2026-49270 Overview
CVE-2026-49270 is an information disclosure vulnerability in Apache ActiveMQ and Apache ActiveMQ Broker. The flaw allows an unauthenticated remote attacker to retrieve the complete list of durable topic subscriptions from a broker by sending a BrokerInfo command. Exposed metadata includes client identifiers, subscription names, topic destinations, and Java Message Service (JMS) selector expressions. The vulnerability is classified under [CWE-1230] (Exposure of Sensitive Information Through Metadata). It affects brokers configured with a network connector where syncDurableSubs is set to true. Apache has released fixed versions 5.19.7 and 6.2.6.
Critical Impact
Unauthenticated attackers can enumerate durable topic subscription metadata, including client IDs and JMS selectors, exposing sensitive details about message flows and subscriber identities.
Affected Products
- Apache ActiveMQ before 5.19.7
- Apache ActiveMQ from 6.0.0 before 6.2.6
- Apache ActiveMQ Broker (and ActiveMQ All) in the same version ranges
Discovery Timeline
- 2026-06-01 - CVE-2026-49270 published to the National Vulnerability Database (NVD)
- 2026-06-01 - Last updated in NVD database
Technical Details for CVE-2026-49270
Vulnerability Analysis
Apache ActiveMQ supports broker-to-broker networking through network connectors. When syncDurableSubs is enabled, brokers exchange durable subscription state so subscribers can receive messages regardless of which broker holds the active connection. This synchronization uses a BrokerInfo command exchanged early in the OpenWire connection lifecycle.
The broker responds to an inbound BrokerInfo command with the full list of durable topic subscriptions before validating that the peer connection is authenticated. An attacker who can reach the OpenWire transport port can send a single BrokerInfo frame and receive subscription metadata in return. The disclosed fields include client identifiers, subscription names, topic destinations, and JMS selector expressions.
The exposed data is intelligence-grade reconnaissance. JMS selectors frequently embed business identifiers, routing logic, or filtering criteria, and client identifiers can reveal tenant names, application roles, or hostnames.
Root Cause
The broker performs the authentication check after dispatching the response to the BrokerInfo command. The protocol handler treats this command as part of connection negotiation rather than as an authenticated request, so credentials are never validated before sensitive metadata is serialized back to the peer.
Attack Vector
Exploitation requires network reachability to the OpenWire listener on a broker configured with syncDurableSubs=true on a network connector. No credentials, user interaction, or prior foothold are required. The attacker establishes a transport-level connection and issues a single BrokerInfo command. The broker replies with the subscription inventory. The Apache advisory (Apache Mailing List Thread) and the Openwall OSS-Security Post describe the protocol-level behavior.
Detection Methods for CVE-2026-49270
Indicators of Compromise
- Inbound OpenWire connections from unexpected source addresses that disconnect immediately after exchanging a BrokerInfo command.
- Broker logs showing BrokerInfo processing without a subsequent successful authentication for the same connection.
- Anomalous outbound traffic volume on the OpenWire port correlated with short-lived sessions.
Detection Strategies
- Inspect ActiveMQ broker logs for BrokerInfo commands originating from peers that are not declared network connectors.
- Compare the running ActiveMQ version against 5.19.7 and 6.2.6 across all broker hosts to identify unpatched instances.
- Audit broker configuration files for network connectors where syncDurableSubs is set to true.
Monitoring Recommendations
- Alert on OpenWire connections to broker ports (default 61616) from source addresses outside the approved broker mesh.
- Track session duration on OpenWire listeners and flag sessions that terminate without progressing past connection negotiation.
- Forward ActiveMQ broker logs to a centralized log platform and retain at least 90 days of history for retrospective hunting.
How to Mitigate CVE-2026-49270
Immediate Actions Required
- Upgrade Apache ActiveMQ and ActiveMQ Broker to version 5.19.7 or 6.2.6.
- Restrict network access to the OpenWire transport so only authorized brokers and clients can connect.
- Review broker configurations and disable syncDurableSubs on network connectors where cross-broker durable subscription state is not required.
Patch Information
Apache has released fixed versions 5.19.7 and 6.2.6. The patches enforce authentication before the broker responds to a BrokerInfo command. Details are available in the Apache Mailing List Thread.
Workarounds
- Place ActiveMQ brokers behind a firewall or private network segment so the OpenWire port is unreachable from untrusted networks.
- Set syncDurableSubs=false on network connectors if durable subscription synchronization is not operationally required.
- Require Transport Layer Security (TLS) with mutual authentication on OpenWire transports to prevent unauthenticated peers from initiating connections.
# Configuration example: disable syncDurableSubs on a network connector
# in activemq.xml
<networkConnectors>
<networkConnector
name="broker-mesh"
uri="static:(tcp://peer-broker:61616)"
syncDurableSubs="false"
duplex="false"
userName="${broker.user}"
password="${broker.password}"/>
</networkConnectors>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
