PatchSiren cyber security CVE debrief
CVE-2026-32642 Apache CVE debrief
CVE-2026-32642 is an Incorrect Authorization (CWE-863) vulnerability in Apache Artemis and Apache ActiveMQ Artemis. The vulnerability occurs when an application using the OpenWire protocol attempts to create a non-durable JMS topic subscription on an address that doesn't exist with an authenticated user who has the 'createDurableQueue' permission but does not have the 'createAddress' permission and address auto-creation is disabled. In this circumstance, a temporary address will be created whereas the attempt to create the non-durable subscription should instead fail since the user is not authorized to create the corresponding address.
- Vendor
- Apache
- Product
- Artemis
- CVSS
- LOW 2.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-24
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-03-24
- Advisory updated
- 2026-06-15
Who should care
Users of Apache Artemis from version 2.50.0 through 2.52.0 and Apache ActiveMQ Artemis from version 2.0.0 through 2.44.0 should upgrade to version 2.53.0.
Technical summary
The vulnerability affects Apache Artemis from 2.50.0 through 2.52.0 and Apache ActiveMQ Artemis from 2.0.0 through 2.44.0. The CVSS score is 2.3, and the severity is LOW.
Defensive priority
LOW
Recommended defensive actions
- Upgrade to version 2.53.0
Evidence notes
The vulnerability was published on 2026-03-24T08:16:01.430Z and modified on 2026-06-15T13:03:40.357Z.
Official resources
-
CVE-2026-32642 CVE record
CVE.org
-
CVE-2026-32642 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Mailing List, Vendor Advisory
-
Mitigation or vendor reference
af854a3a-2127-422b-91ae-364da2661108 - Mailing List, Third Party Advisory
CVE-2026-32642 was published on 2026-03-24T08:16:01.430Z.