CVE-2026-40914 Apache Software Foundation CVE debrief

Who should care

Organizations running Apache Artemis or Apache ActiveMQ Artemis with STOMP protocol enabled, particularly those with multi-tenant messaging environments or strict address-level access controls. Security teams responsible for messaging middleware authorization policies and operators managing STOMP client permissions.

Technical summary

The vulnerability exists in the STOMP protocol implementation of Apache Artemis where the authorization check for routing-type augmentation is improperly decoupled from the createAddress permission. A user with consume or send permissions can successfully complete message operations that involve routing-types not originally supported by the target address, effectively escalating their capabilities beyond granted permissions. The fix in version 2.54.0 enforces proper authorization validation to prevent this bypass.

Defensive priority

medium

Recommended defensive actions

• Upgrade Apache Artemis to version 2.54.0 or later to remediate this vulnerability
• Review STOMP user permissions to ensure principle of least privilege for consume and send operations
• Audit address configurations to verify routing-type settings match intended security policies
• Monitor for unauthorized routing-type modifications in STOMP client activity logs
• Verify createAddress permission assignments align with organizational authorization requirements

Evidence notes

Vulnerability description sourced from official CVE record and NVD entry. CWE-863 (Incorrect Authorization) identified as the weakness type. Affected version ranges and remediation guidance (upgrade to 2.54.0) derived from CVE description. Vendor attribution to Apache based on reference domain evidence with low confidence flag for review.

Official resources