CVE-2026-49270

Published: Jun 1, 2026

Modified: Jun 1, 2026

PUBLISHED

Description

Exposure of Sensitive Information Through Metadata vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All. Brokers that are configured with a network connector with syncDurableSubs set to true, are vulnerable to an unauthenticated attacker who can receive a list of all durable topic subscriptions in the broker, including client identifiers, subscription names, topic destinations, and JMS selector expressions, by sending a BrokerInfo command. The broker incorrectly responds without first ensuring the connection is authenticated. This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6. Users are recommended to upgrade to version 6.2.6 or 5.19.7, which fixes the issue.

Vendor	Product	Versions
Apache Software Foundation	Apache ActiveMQ Broker	affected `5.14.0 - < 5.19.7` affected `6.0.0 - < 6.2.6`
Apache Software Foundation	Apache ActiveMQ	affected `5.14.0 - < 5.19.7` affected `6.0.0 - < 6.2.6`
Apache Software Foundation	Apache ActiveMQ All	affected `5.14.0 - < 5.19.7` affected `6.0.0 - < 6.2.6`

Weaknesses (CWE)

CWE-1230

References

https://lists.apache.org/thread/k3233c1x506z3w7x4z0dqvd86d4v2fr2

vendor-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-49270

Description

Affected Products

Weaknesses (CWE)

References