CVE-2026-46605 Apache Software Foundation CVE debrief

Who should care

Organizations running Apache ActiveMQ message brokers with multi-user or delegated administrative access models where non-administrative authenticated users may hold destination management permissions. Environments relying on destination-level access controls for multi-tenancy or operational separation should prioritize patching.

Technical summary

Apache ActiveMQ versions before 5.19.7 and from 6.0.0 before 6.2.6 contain an incomplete authorization flaw where authenticated connections possessing destination removal permissions can remove existing destinations without proper authorization enforcement. The vulnerability is classified as CWE-285 (Improper Authorization) with a CVSS 3.1 score of 4.3 (MEDIUM). Attack requires network access, low privileges, and no user interaction, resulting in low availability impact. The fix implements proper authorization checks in versions 5.19.7 and 6.2.6.

Defensive priority

medium

Recommended defensive actions

• Upgrade Apache ActiveMQ to version 5.19.7 or 6.2.6 or later to remediate the incomplete authorization vulnerability
• Verify that only authorized administrative principals hold destination removal permissions pending upgrade
• Review ActiveMQ broker audit logs for unexpected destination removal operations by authenticated users
• Monitor Apache security mailing lists and official advisories for additional hardening guidance

Evidence notes

CVE description states authenticated connections can remove existing destinations with proper permissions due to incomplete authorization. Affected versions explicitly listed: before 5.19.7 and 6.0.0-6.2.5. Fix versions: 5.19.7 and 6.2.6. CVSS vector from NVD source metadata: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L scoring 4.3. Weakness source [email protected] identifies CWE-285. Vendor evidence from reference domain candidate points to Apache with low confidence; vendor name marked unknown requiring review.

Official resources