CVE-2026-49157 Apache Software Foundation CVE debrief

Who should care

Organizations running Apache ActiveMQ with Jolokia enabled and web console authentication configured should prioritize this patch, particularly those with multi-user broker environments where non-administrative users have web console access. Security teams should assess exposure of Jolokia endpoints to internal networks and verify that role-based access controls align with operational requirements.

Technical summary

The vulnerability stems from default Jolokia authorization configuration in Apache ActiveMQ that fails to properly segregate administrative operations from standard user capabilities. Jolokia, a JMX-to-HTTP bridge commonly deployed with ActiveMQ, exposes management operations through HTTP endpoints. The affected versions apply insufficient role-based access controls by default, permitting authenticated users with non-administrative web-login credentials to invoke MBean operations reserved for administrators. This includes queue lifecycle management (addQueue, removeQueue) and potentially other broker configuration changes. The CVSS 3.1 score of 8.8 (HIGH) reflects the network accessibility of the service, low complexity of exploitation, and high impact potential across the CIA triad given broker-level control. The fix in versions 5.19.7 and 6.2.6 tightens the default authorization constraints to require administrative privileges for sensitive Jolokia operations.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade Apache ActiveMQ to version 6.2.6 or 5.19.7, which correct the default Jolokia authorization settings to restrict administrative operations to admin accounts
• If immediate patching is not feasible, review and manually restrict Jolokia authorization policies to ensure only administrative roles can access broker management operations such as addQueue and removeQueue
• Audit existing ActiveMQ installations for unauthorized queue modifications or configuration changes that may indicate prior exploitation of this authorization weakness
• Review web console user accounts and role assignments to enforce principle of least privilege, ensuring non-admin accounts do not possess unnecessary broker management permissions
• Monitor Jolokia access logs for anomalous administrative operation requests originating from low-privilege authenticated sessions

Evidence notes

The CVE description explicitly states the default Jolokia authorization settings grant non-admin (low-privilege) web-login accounts access to Jolokia operations such as addQueue and removeQueue. CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H confirms network attack vector with low attack complexity and low privileges required, yielding high impacts across confidentiality, integrity, and availability. CWE-276 (Incorrect Default Permissions) is identified as the weakness. Apache security list reference provides vendor disclosure context.

Official resources