CVE-2026-49270 Apache Software Foundation CVE debrief

Who should care

Organizations running Apache ActiveMQ Broker, Apache ActiveMQ, or Apache ActiveMQ All with network connectors and syncDurableSubs enabled, particularly in multi-tenant or externally accessible messaging deployments.

Technical summary

The vulnerability stems from missing authentication checks when processing BrokerInfo commands on network connectors with syncDurableSubs=true. An unauthenticated remote attacker can send a BrokerInfo command and receive a complete listing of durable topic subscriptions, including sensitive metadata: client identifiers, subscription names, topic destinations, and JMS selector expressions. This represents an Exposure of Sensitive Information Through Metadata weakness (CWE-1230). The attack requires network access to the broker's listening port and a broker configuration with syncDurableSubs enabled on a network connector. No authentication credentials are required.

Defensive priority

medium

Recommended defensive actions

• Upgrade Apache ActiveMQ Broker, Apache ActiveMQ, or Apache ActiveMQ All to version 5.19.7 or 6.2.6 or later.
• If immediate patching is not feasible, disable syncDurableSubs on network connectors or restrict network connector access to trusted peers.
• Review broker access logs for unauthenticated BrokerInfo commands from unexpected sources.
• Audit durable topic subscriptions for unauthorized access and rotate client identifiers if exposure is suspected.
• Monitor for follow-up Apache security advisories for additional hardening guidance.

Evidence notes

CVE published 2026-06-01. NVD status: Undergoing Analysis. CVSS 3.1 score 5.9 (MEDIUM). CWE-1230 (Exposure of Sensitive Information Through Metadata). Affected versions confirmed in official CVE description. Vendor advisory referenced via Apache security mailing list.

Official resources