High

Incorrect Default Permissions in Apache ActiveMQ Jolokia Authorization

IdentifiersCVE-2026-49157CWE-276· Incorrect Default Permissions

CVE-2026-49157 is an incorrect default permissions vulnerability in Apache ActiveMQ affecting versions before 5.19.7 and versions from 6.0.0 before 6.2.6. In affected releases, the default Jolokia authorization configuration granted authenticated non-admin, low-privilege web-login accounts access to Jolokia broker-management operations that should have been restricted to administrators. This exposed administrative broker functions such as addQueue and removeQueue through the management interface, allowing low-privilege users to perform unauthorized broker management actions.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an authenticated low-privilege user to perform administrative broker-management operations via Jolokia that are intended only for administrators. This can result in unauthorized creation or deletion of queues, improper modification of broker state, disruption of messaging workflows, and effective privilege escalation within the ActiveMQ management plane. Depending on deployment and queue usage, this may affect confidentiality, integrity, and availability of broker-managed messaging operations.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, restrict access to the ActiveMQ web console and Jolokia management endpoints to trusted administrative users and trusted networks only. Review and tighten role mappings and authorization rules so that low-privilege web-login accounts cannot invoke broker-management operations. Audit existing non-admin accounts for unintended management access until fixed versions can be deployed.

Remediation

Patch, then assume compromise.

Upgrade Apache ActiveMQ to a fixed release: 5.19.7 or later on the 5.x branch, or 6.2.6 or later on the 6.x branch. The vendor states these versions fix the incorrect default Jolokia authorization behavior. After upgrading, review Jolokia and web-console authorization settings to ensure administrative operations are restricted to intended administrator roles only.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Apache Software FoundationActivemqapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app

cyber security newsNews

Jun 3, 2026

Critical Apache ActiveMQ Vulnerability Allows Malicious Security Header Injections

An incorrect default permissions vulnerability in Apache ActiveMQ that allows authenticated low-privilege users to access Jolokia broker management endpoints and perform sensitive broker operations due to overly permissive authorization settings.

security online infoNews

Jun 2, 2026

ActiveMQ Security Flaws Expose Message Brokers

An Apache ActiveMQ authorization weakness caused by insecure default authentication configuration, allowing low-privilege users to perform administrative actions such as adding or deleting message queues.

cvefeed high severityNews

Jun 1, 2026

CVE-2026-49157 - Apache ActiveMQ: Authenticated low-privilege Web users retain Jolokia broker-management capability by default

An incorrect default permissions vulnerability in Apache ActiveMQ where low-privilege web-login accounts could access Jolokia operations intended for administrators, enabling broker management actions such as addQueue and removeQueue.

lists apacheNews

May 31, 2026

CVE-2026-49157: Apache ActiveMQ: Authenticated low-privilege Web users retain Jolokia broker-management capability by default-Apache Mail Archives

An incorrect default permissions vulnerability in Apache ActiveMQ where default Jolokia authorization settings allowed low-privilege web-login accounts to perform broker management operations intended for administrators.

+1 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity4

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-49157

NVD

nvd.nist.gov/vuln/detail/CVE-2026-49157

MITRE CWE · CWE-276

Incorrect Default Permissions

Vendor Advisory

lists.apache.org/thread/rrcsf6s90hj4tdh89nvkko75q5505rj8

Third Party Advisory

openwall.com/lists/oss-security/2026/05/31/21