oss-sec mailing list archives

Re: CVE-2026-27446: Apache Artemis, Apache ActiveMQ Artemis: Auth bypass for Core downstream federation

From: Yogesh Mittal <ymittal () redhat com>
Date: Wed, 4 Mar 2026 12:30:28 +0530

Hi Justin

I noticed that the cve.org link provided at the bottom of your email still
shows the CVE status as 'Reserved'. Could you please publish the CVE
details there as soon as possible?

Thanks and regards,

Yogesh Mittal

Manager, Product Security Vulnerability Management

Red Hat Pune <https://www.redhat.com/>

ymittal () redhat com
M: +91-9637123455


<https://www.redhat.com/>


On Tue, Mar 3, 2026 at 10:58 PM Justin Bertram <jbertram () apache org> wrote:

Severity: critical

Affected versions:

- Apache Artemis (org.apache.artemis:artemis-server) 2.50.0 through 2.51.0
- Apache ActiveMQ Artemis (org.apache.activemq:artemis-server) 2.11.0
through 2.44.0

Description:

Missing Authentication for Critical Function (CWE-306) vulnerability in
Apache Artemis, Apache ActiveMQ Artemis. An unauthenticated remote attacker
can use the Core protocol to force a target broker to establish an outbound
Core federation connection to an attacker-controlled rogue broker. This
could potentially result in message injection into any queue and/or message
exfiltration from any queue via the rogue broker. This impacts environments
that allow both:

- incoming Core protocol connections from untrusted sources to the broker

- outgoing Core protocol connections from the broker to untrusted targets

This issue affects:

- Apache Artemis from 2.50.0 through 2.51.0

- Apache ActiveMQ Artemis from 2.11.0 through 2.44.0.

Users are recommended to upgrade to Apache Artemis version 2.52.0, which
fixes the issue.

The issue can be mitigated by either of the following:

- Remove Core protocol support from any acceptor receiving connections
from untrusted sources. Incoming Core protocol connections are supported by
default via the "artemis" acceptor listening on port 61616. See the
"protocols" URL parameter configured for the acceptor. An acceptor URL
without this parameter supports all protocols by default, including Core.

- Use two-way SSL (i.e. certificate-based authentication) in order to
force every client to present the proper SSL certificate when establishing
a connection before any message protocol handshake is attempted. This will
prevent unauthenticated exploitation of this vulnerability.

Credit:

Hardik Mehta <mehtahardik () proton me> (finder)

References:

https://artemis.apache.org
https://www.cve.org/CVERecord?id=CVE-2026-27446

Current thread:

CVE-2026-27446: Apache Artemis, Apache ActiveMQ Artemis: Auth bypass for Core downstream federation Justin Bertram (Mar 03)
- Re: CVE-2026-27446: Apache Artemis, Apache ActiveMQ Artemis: Auth bypass for Core downstream federation Yogesh Mittal (Mar 04)