oss-sec mailing list archives

CVE-2026-32642: Apache Artemis, Apache ActiveMQ Artemis: Temporary address auto-created for OpenWire consumer without createAddress permission


From: Justin Bertram <jbertram () apache org>
Date: Fri, 20 Mar 2026 18:44:28 +0000

Severity: low 

Affected versions:

- Apache Artemis (org.apache.artemis:artemis-openwire-protocol) 2.50.0 through 2.52.0
- Apache ActiveMQ Artemis (org.apache.activemq:artemis-openwire-protocol) 2.0.0 through 2.44.0

Description:

Incorrect Authorization (CWE-863) vulnerability in Apache Artemis, Apache ActiveMQ Artemis exists when an application 
using the OpenWire protocol attempts to create a non-durable JMS topic subscription on an address that doesn't exist 
with an authenticated user which has the "createDurableQueue" permission but does not have the "createAddress" 
permission and address auto-creation is disabled. In this circumstance, a temporary address will be created whereas the 
attempt to create the non-durable subscription should instead fail since the user is not authorized to create the 
corresponding address. When the OpenWire connection is closed the address is removed.

This issue affects Apache Artemis: from 2.50.0 through 2.52.0; Apache ActiveMQ Artemis: from 2.0.0 through 2.44.0.

Users are recommended to upgrade to version 2.53.0, which fixes the issue.

Credit:

Stephen Higgs <shiggs () redhat com> (reporter)

References:

https://artemis.apache.org
https://www.cve.org/CVERecord?id=CVE-2026-32642


Current thread: