CVE-2026-54475 (GCVE-0-2026-54475)

Vulnerability from cvelistv5 – Published: 2026-06-30 09:48 – Updated: 2026-06-30 14:52
VLAI
Title
Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Temporary destination ownership takeover
Summary
Missing Authorization vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. Apache ActiveMQ Classic temporary destinations are expected to be isolated to the connection that created them. The isolation can be broken as this is only checked in the client, allowing a different connection to consume from another connection's temporary destination. This issue affects Apache ActiveMQ Broker: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7. Users are recommended to upgrade to version 6.2.7, which fixes the issue.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Vendor Product Version
Apache Software Foundation Apache ActiveMQ Broker Affected: 0 , < 5.19.8 (semver)
Affected: 6.0.0 , < 6.2.7 (semver)
Create a notification for this product.
Apache Software Foundation Apache ActiveMQ All Affected: 0 , < 5.19.8 (semver)
Affected: 6.0.0 , < 6.2.7 (semver)
Create a notification for this product.
Apache Software Foundation Apache ActiveMQ Affected: 0 , < 5.19.8 (semver)
Affected: 6.0.0 , < 6.2.7 (semver)
Create a notification for this product.
Credits
Leon Johnson (github: lokerxx)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-06-30T11:06:25.154Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/06/29/15"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-54475",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-30T14:52:21.373754Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-30T14:52:25.352Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "org.apache.activemq:activemq-broker",
          "product": "Apache ActiveMQ Broker",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "5.19.8",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "6.2.7",
              "status": "affected",
              "version": "6.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "org.apache.activemq:activemq-all",
          "product": "Apache ActiveMQ All",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "5.19.8",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "6.2.7",
              "status": "affected",
              "version": "6.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "org.apache.activemq:apache-activemq",
          "product": "Apache ActiveMQ",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "5.19.8",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "6.2.7",
              "status": "affected",
              "version": "6.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Leon Johnson (github: lokerxx)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eMissing Authorization vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ.\u003c/p\u003eApache ActiveMQ Classic temporary destinations are expected to be isolated to the connection that created them. The isolation can be broken as this is only checked in the client, allowing a\u0026nbsp;different connection to consume from another connection\u0027s temporary\u003cbr\u003edestination.\u003cbr\u003e\u003cp\u003eThis issue affects Apache ActiveMQ Broker: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 6.2.7, which fixes the issue.\u003c/p\u003e"
            }
          ],
          "value": "Missing Authorization vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ.\n\nApache ActiveMQ Classic temporary destinations are expected to be isolated to the connection that created them. The isolation can be broken as this is only checked in the client, allowing a\u00a0different connection to consume from another connection\u0027s temporary\ndestination.\nThis issue affects Apache ActiveMQ Broker: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7.\n\nUsers are recommended to upgrade to version 6.2.7, which fixes the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "important"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-30T09:48:28.852Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/85f3q7mkh71y7qwyn6wvgw0bw4jl06ys"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Temporary destination ownership takeover",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-54475",
    "datePublished": "2026-06-30T09:48:28.852Z",
    "dateReserved": "2026-06-15T16:52:41.340Z",
    "dateUpdated": "2026-06-30T14:52:25.352Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-54475\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2026-06-30T11:16:30.407\",\"lastModified\":\"2026-06-30T15:16:57.927\",\"vulnStatus\":\"Undergoing Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Missing Authorization vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ.\\n\\nApache ActiveMQ Classic temporary destinations are expected to be isolated to the connection that created them. The isolation can be broken as this is only checked in the client, allowing a\u00a0different connection to consume from another connection\u0027s temporary\\ndestination.\\nThis issue affects Apache ActiveMQ Broker: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7.\\n\\nUsers are recommended to upgrade to version 6.2.7, which fixes the issue.\"}],\"affected\":[{\"source\":\"security@apache.org\",\"affectedData\":[{\"vendor\":\"Apache Software Foundation\",\"product\":\"Apache ActiveMQ Broker\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://repo.maven.apache.org/maven2\",\"packageName\":\"org.apache.activemq:activemq-broker\",\"versions\":[{\"version\":\"0\",\"lessThan\":\"5.19.8\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"6.0.0\",\"lessThan\":\"6.2.7\",\"versionType\":\"semver\",\"status\":\"affected\"}]},{\"vendor\":\"Apache Software Foundation\",\"product\":\"Apache ActiveMQ All\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://repo.maven.apache.org/maven2\",\"packageName\":\"org.apache.activemq:activemq-all\",\"versions\":[{\"version\":\"0\",\"lessThan\":\"5.19.8\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"6.0.0\",\"lessThan\":\"6.2.7\",\"versionType\":\"semver\",\"status\":\"affected\"}]},{\"vendor\":\"Apache Software Foundation\",\"product\":\"Apache ActiveMQ\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://repo.maven.apache.org/maven2\",\"packageName\":\"org.apache.activemq:apache-activemq\",\"versions\":[{\"version\":\"0\",\"lessThan\":\"5.19.8\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"6.0.0\",\"lessThan\":\"6.2.7\",\"versionType\":\"semver\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-06-30T14:52:21.373754Z\",\"id\":\"CVE-2026-54475\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"yes\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"references\":[{\"url\":\"https://lists.apache.org/thread/85f3q7mkh71y7qwyn6wvgw0bw4jl06ys\",\"source\":\"security@apache.org\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2026/06/29/15\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.openwall.com/lists/oss-security/2026/06/29/15\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2026-06-30T11:06:25.154Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-54475\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-30T14:52:21.373754Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-30T14:52:16.430Z\"}}], \"cna\": {\"title\": \"Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Temporary destination ownership takeover\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Leon Johnson (github: lokerxx)\"}], \"metrics\": [{\"other\": {\"type\": \"Textual description of severity\", \"content\": {\"text\": \"important\"}}}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache ActiveMQ Broker\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"5.19.8\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"6.0.0\", \"lessThan\": \"6.2.7\", \"versionType\": \"semver\"}], \"packageName\": \"org.apache.activemq:activemq-broker\", \"collectionURL\": \"https://repo.maven.apache.org/maven2\", \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache ActiveMQ All\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"5.19.8\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"6.0.0\", \"lessThan\": \"6.2.7\", \"versionType\": \"semver\"}], \"packageName\": \"org.apache.activemq:activemq-all\", \"collectionURL\": \"https://repo.maven.apache.org/maven2\", \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache ActiveMQ\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"5.19.8\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"6.0.0\", \"lessThan\": \"6.2.7\", \"versionType\": \"semver\"}], \"packageName\": \"org.apache.activemq:apache-activemq\", \"collectionURL\": \"https://repo.maven.apache.org/maven2\", \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://lists.apache.org/thread/85f3q7mkh71y7qwyn6wvgw0bw4jl06ys\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Missing Authorization vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ.\\n\\nApache ActiveMQ Classic temporary destinations are expected to be isolated to the connection that created them. The isolation can be broken as this is only checked in the client, allowing a\\u00a0different connection to consume from another connection\u0027s temporary\\ndestination.\\nThis issue affects Apache ActiveMQ Broker: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7.\\n\\nUsers are recommended to upgrade to version 6.2.7, which fixes the issue.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eMissing Authorization vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ.\u003c/p\u003eApache ActiveMQ Classic temporary destinations are expected to be isolated to the connection that created them. The isolation can be broken as this is only checked in the client, allowing a\u0026nbsp;different connection to consume from another connection\u0027s temporary\u003cbr\u003edestination.\u003cbr\u003e\u003cp\u003eThis issue affects Apache ActiveMQ Broker: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 6.2.7, which fixes the issue.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-862\", \"description\": \"CWE-862 Missing Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2026-06-30T09:48:28.852Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-54475\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-30T14:52:25.352Z\", \"dateReserved\": \"2026-06-15T16:52:41.340Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2026-06-30T09:48:28.852Z\", \"assignerShortName\": \"apache\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…