Vulnerability-Lookup

WID-SEC-W-2026-0591

Vulnerability from csaf_certbund - Published: 2026-03-03 23:00 - Updated: 2026-03-05 23:00

Summary

Apache ActiveMQ/Artemis: Mehrere Schwachstellen

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Apache ActiveMQ ist ein Open Source Message Broker, der den Transport von Nachrichten zwischen verschiedenen Programmen bewerkstelligt.

Angriff: Ein Angreifer kann mehrere Schwachstellen in Apache ActiveMQ/Artemis ausnutzen, um einen nicht näher spezifizierten Angriff durchzuführen, und um Sicherheitsvorkehrungen zu umgehen.

Betroffene Betriebssysteme: - Linux - UNIX - Windows

CVE-2025-66168

CVE-2026-27446

References

URL

Category

	https://wid.cert-bund.de/.well-known/csaf/white/2…	self
	https://wid.cert-bund.de/portal/wid/securityadvis…	self
	https://seclists.org/oss-sec/2026/q1/249	external
	https://access.redhat.com/security/cve/cve-2026-27446	external
	https://seclists.org/oss-sec/2026/q1/250	external
	https://www.cve.org/CVERecord?id=CVE-2025-66168	external
	https://access.redhat.com/errata/RHSA-2026:3955	external
	https://access.redhat.com/errata/RHSA-2026:3957	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Apache ActiveMQ ist ein Open Source Message Broker, der den Transport von Nachrichten zwischen verschiedenen Programmen bewerkstelligt.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen in Apache ActiveMQ/Artemis ausnutzen, um einen nicht n\u00e4her spezifizierten Angriff durchzuf\u00fchren, und um Sicherheitsvorkehrungen zu umgehen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-0591 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0591.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-0591 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0591"
      },
      {
        "category": "external",
        "summary": "OSS Security Mailing List vom 2026-03-03",
        "url": "https://seclists.org/oss-sec/2026/q1/249"
      },
      {
        "category": "external",
        "summary": "RedHat Customer Portal vom 2026-03-03",
        "url": "https://access.redhat.com/security/cve/cve-2026-27446"
      },
      {
        "category": "external",
        "summary": "OSS Security Mailing List vom 2026-03-03",
        "url": "https://seclists.org/oss-sec/2026/q1/250"
      },
      {
        "category": "external",
        "summary": "CVE Record vom 2026-03-03",
        "url": "https://www.cve.org/CVERecord?id=CVE-2025-66168"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:3955 vom 2026-03-05",
        "url": "https://access.redhat.com/errata/RHSA-2026:3955"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:3957 vom 2026-03-06",
        "url": "https://access.redhat.com/errata/RHSA-2026:3957"
      }
    ],
    "source_lang": "en-US",
    "title": "Apache ActiveMQ/Artemis: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-03-05T23:00:00.000+00:00",
      "generator": {
        "date": "2026-03-06T09:37:14.776+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.5.0"
        }
      },
      "id": "WID-SEC-W-2026-0591",
      "initial_release_date": "2026-03-03T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-03-03T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2026-03-04T23:00:00.000+00:00",
          "number": "2",
          "summary": "Referenz(en) aufgenommen: EUVD-2026-9382, EUVD-2025-208266"
        },
        {
          "date": "2026-03-05T23:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von Red Hat aufgenommen"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c5.19.2",
                "product": {
                  "name": "Apache ActiveMQ \u003c5.19.2",
                  "product_id": "T051391"
                }
              },
              {
                "category": "product_version",
                "name": "5.19.2",
                "product": {
                  "name": "Apache ActiveMQ 5.19.2",
                  "product_id": "T051391-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:apache:activemq:5.19.2"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c6.1.9",
                "product": {
                  "name": "Apache ActiveMQ \u003c6.1.9",
                  "product_id": "T051392"
                }
              },
              {
                "category": "product_version",
                "name": "6.1.9",
                "product": {
                  "name": "Apache ActiveMQ 6.1.9",
                  "product_id": "T051392-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:apache:activemq:6.1.9"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c6.2.1",
                "product": {
                  "name": "Apache ActiveMQ \u003c6.2.1",
                  "product_id": "T051393"
                }
              },
              {
                "category": "product_version",
                "name": "6.2.1",
                "product": {
                  "name": "Apache ActiveMQ 6.2.1",
                  "product_id": "T051393-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:apache:activemq:6.2.1"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Artemis \u003c2.52.0",
                "product": {
                  "name": "Apache ActiveMQ Artemis \u003c2.52.0",
                  "product_id": "T051394"
                }
              },
              {
                "category": "product_version",
                "name": "Artemis 2.52.0",
                "product": {
                  "name": "Apache ActiveMQ Artemis 2.52.0",
                  "product_id": "T051394-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:apache:activemq:artemis__2.52.0"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "ActiveMQ"
          }
        ],
        "category": "vendor",
        "name": "Apache"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Red Hat Enterprise Linux",
            "product": {
              "name": "Red Hat Enterprise Linux",
              "product_id": "67646",
              "product_identification_helper": {
                "cpe": "cpe:/o:redhat:enterprise_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-66168",
      "product_status": {
        "known_affected": [
          "T051393",
          "T051392",
          "67646",
          "T051391"
        ]
      },
      "release_date": "2026-03-03T23:00:00.000+00:00",
      "title": "CVE-2025-66168"
    },
    {
      "cve": "CVE-2026-27446",
      "product_status": {
        "known_affected": [
          "T051394",
          "67646"
        ]
      },
      "release_date": "2026-03-03T23:00:00.000+00:00",
      "title": "CVE-2026-27446"
    }
  ]
}

CVE-2026-27446 (GCVE-0-2026-27446)

Vulnerability from cvelistv5 – Published: 2026-03-04 08:48 – Updated: 2026-03-17 15:29

Title

Apache Artemis, Apache ActiveMQ Artemis: Auth bypass for Core downstream federation

Summary

Missing Authentication for Critical Function (CWE-306) vulnerability in Apache Artemis, Apache ActiveMQ Artemis. An unauthenticated remote attacker can use the Core protocol to force a target broker to establish an outbound Core federation connection to an attacker-controlled rogue broker. This could potentially result in message injection into any queue and/or message exfiltration from any queue via the rogue broker. This impacts environments that allow both: - incoming Core protocol connections from untrusted sources to the broker - outgoing Core protocol connections from the broker to untrusted targets This issue affects: - Apache Artemis from 2.50.0 through 2.51.0 - Apache ActiveMQ Artemis from 2.11.0 through 2.44.0. Users are recommended to upgrade to Apache Artemis version 2.52.0, which fixes the issue. The issue can be mitigated by one of the following: - Remove Core protocol support from any acceptor receiving connections from untrusted sources. Incoming Core protocol connections are supported by default via the "artemis" acceptor listening on port 61616. See the "protocols" URL parameter configured for the acceptor. An acceptor URL without this parameter supports all protocols by default, including Core. - Use two-way SSL (i.e. certificate-based authentication) in order to force every client to present the proper SSL certificate when establishing a connection before any message protocol handshake is attempted. This will prevent unauthenticated exploitation of this vulnerability. - Implement and deploy a Core interceptor to deny all Core downstream federation connect packets. Such packets have a type of (int) -16 or (byte) 0xfffffff0. Documentation for interceptors is available at https://artemis.apache.org/components/artemis/documentation/latest/intercepting-operations.html .

Severity ?

9.3 (Critical)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L

CWE

CWE-306 - Missing Authentication for Critical Function

Assigner

apache

References

URL

Tags

https://lists.apache.org/thread/jwpsdc8tdxotm98od…

vendor-advisory

Impacted products

Vendor

Product

Version

Apache Software Foundation

Apache Artemis

Affected: 2.50.0 , ≤ 2.51.0 (semver)

Apache Software Foundation

Apache ActiveMQ Artemis

Affected: 2.11.0 , ≤ 2.44.0 (semver)

Credits

Hardik Mehta <mehtahardik@proton.me>

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-03-05T04:33:58.767Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/03/04/1"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/03/03/4"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-27446",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-04T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-05T04:55:45.957Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "org.apache.artemis:artemis-server",
          "product": "Apache Artemis",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "2.51.0",
              "status": "affected",
              "version": "2.50.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "org.apache.activemq:artemis-server",
          "product": "Apache ActiveMQ Artemis",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "2.44.0",
              "status": "affected",
              "version": "2.11.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Hardik Mehta \u003cmehtahardik@proton.me\u003e"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eMissing Authentication for Critical Function (CWE-306) vulnerability in Apache Artemis, Apache ActiveMQ Artemis. An unauthenticated remote attacker can use the Core protocol to force a target broker to establish an outbound Core federation connection to an attacker-controlled rogue broker. This could potentially result in message injection into any queue and/or message exfiltration from any queue via the rogue broker. This impacts environments that allow both:\u003c/p\u003e\u003cp\u003e- incoming Core protocol connections from untrusted sources to the broker\u003c/p\u003e\u003cp\u003e- outgoing Core protocol connections from the broker to untrusted targets\u003c/p\u003e\u003cp\u003eThis issue affects:\u003c/p\u003e\u003cp\u003e- Apache Artemis from 2.50.0 through 2.51.0\u003c/p\u003e\u003cp\u003e- Apache ActiveMQ Artemis from 2.11.0 through 2.44.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to Apache Artemis version 2.52.0, which fixes the issue.\u003c/p\u003e\u003cp\u003eThe issue can be mitigated by one of the following:\u003c/p\u003e\u003cp\u003e- Remove Core protocol support from any acceptor receiving connections from untrusted sources. Incoming Core protocol connections are supported by default via the \"artemis\" acceptor listening on port 61616. See the \"protocols\" URL parameter configured for the acceptor. An acceptor URL without this parameter supports all protocols by default, including Core.\u003c/p\u003e\u003cp\u003e- Use two-way SSL (i.e. certificate-based authentication) in order to force every client to present the proper SSL certificate when establishing a connection before any message protocol handshake is attempted. This will prevent unauthenticated exploitation of this vulnerability.\u003c/p\u003e\u003cp\u003e- Implement and deploy a Core interceptor to deny all Core downstream federation connect packets. Such packets have a type of (int) -16 or (byte)\u0026nbsp;0xfffffff0. Documentation for interceptors is available at\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://artemis.apache.org/components/artemis/documentation/latest/intercepting-operations.html\"\u003ehttps://artemis.apache.org/components/artemis/documentation/latest/intercepting-operations.html\u003c/a\u003e.\u003c/p\u003e"
            }
          ],
          "value": "Missing Authentication for Critical Function (CWE-306) vulnerability in Apache Artemis, Apache ActiveMQ Artemis. An unauthenticated remote attacker can use the Core protocol to force a target broker to establish an outbound Core federation connection to an attacker-controlled rogue broker. This could potentially result in message injection into any queue and/or message exfiltration from any queue via the rogue broker. This impacts environments that allow both:\n\n- incoming Core protocol connections from untrusted sources to the broker\n\n- outgoing Core protocol connections from the broker to untrusted targets\n\nThis issue affects:\n\n- Apache Artemis from 2.50.0 through 2.51.0\n\n- Apache ActiveMQ Artemis from 2.11.0 through 2.44.0.\n\nUsers are recommended to upgrade to Apache Artemis version 2.52.0, which fixes the issue.\n\nThe issue can be mitigated by one of the following:\n\n- Remove Core protocol support from any acceptor receiving connections from untrusted sources. Incoming Core protocol connections are supported by default via the \"artemis\" acceptor listening on port 61616. See the \"protocols\" URL parameter configured for the acceptor. An acceptor URL without this parameter supports all protocols by default, including Core.\n\n- Use two-way SSL (i.e. certificate-based authentication) in order to force every client to present the proper SSL certificate when establishing a connection before any message protocol handshake is attempted. This will prevent unauthenticated exploitation of this vulnerability.\n\n- Implement and deploy a Core interceptor to deny all Core downstream federation connect packets. Such packets have a type of (int) -16 or (byte)\u00a00xfffffff0. Documentation for interceptors is available at\u00a0 https://artemis.apache.org/components/artemis/documentation/latest/intercepting-operations.html ."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "LOW",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "other": {
            "content": {
              "text": "critical"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-306",
              "description": "CWE-306 Missing Authentication for Critical Function",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-17T15:29:53.714Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/jwpsdc8tdxotm98od8n8n30fqlzoc8gg"
        }
      ],
      "source": {
        "defect": [
          "ARTEMIS-5928"
        ],
        "discovery": "EXTERNAL"
      },
      "title": "Apache Artemis, Apache ActiveMQ Artemis: Auth bypass for Core downstream federation",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-27446",
    "datePublished": "2026-03-04T08:48:48.199Z",
    "dateReserved": "2026-02-19T16:10:53.921Z",
    "dateUpdated": "2026-03-17T15:29:53.714Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-66168 (GCVE-0-2025-66168)

Vulnerability from cvelistv5 – Published: 2026-03-04 08:45 – Updated: 2026-03-04 20:28

Title

Apache ActiveMQ, Apache ActiveMQ All Module, Apache ActiveMQ MQTT Module: MQTT control packet remaining length field is not properly validated

Summary

Apache ActiveMQ does not properly validate the remaining length field which may lead to an overflow during the decoding of malformed packets. When this integer overflow occurs, ActiveMQ may incorrectly compute the total Remaining Length and subsequently misinterpret the payload as multiple MQTT control packets which makes the broker susceptible to unexpected behavior when interacting with non-compliant clients. This behavior violates the MQTT v3.1.1 specification, which restricts Remaining Length to a maximum of 4 bytes. The scenario occurs on established connections after the authentication process. Brokers that are not enabling mqtt transport connectors are not impacted. This issue affects Apache ActiveMQ: before 5.19.2, 6.0.0 to 6.1.8, and 6.2.0 Users are recommended to upgrade to version 5.19.2, 6.1.9, or 6.2.1, which fixes the issue.

Severity ?

5.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE

CWE-190 - Integer Overflow or Wraparound

Assigner

apache

References

URL

Tags

https://lists.apache.org/thread/13n8mkrb2jf2y6yyh…

vendor-advisory

Impacted products

Vendor

Product

Version

Apache Software Foundation

Apache ActiveMQ

Affected: 0 , < 5.19.2 (semver)
Affected: 6.0.0 , < 6.1.9 (semver)
Affected: 6.2.0 , < 6.2.1 (semver)

	Apache Software Foundation	Apache ActiveMQ All Module	Affected: 0 , < 5.19.2 (semver) Affected: 6.0.0 , < 6.1.9 (semver) Affected: 6.2.0 , < 6.2.1 (semver)
	Apache Software Foundation	Apache ActiveMQ MQTT Module	Affected: 0 , < 5.19.2 (semver) Affected: 6.0.0 , < 6.1.9 (semver) Affected: 6.2.0 , < 6.2.1 (semver)

Credits

Gai Tanaka <641.work123@gmail.com>

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-03-04T09:15:41.385Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/03/03/5"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-66168",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-04T20:27:42.920592Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-04T20:28:45.825Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "org.apache.activemq:apache-activemq",
          "product": "Apache ActiveMQ",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "5.19.2",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "6.1.9",
              "status": "affected",
              "version": "6.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "6.2.1",
              "status": "affected",
              "version": "6.2.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "org.apache.activemq:activemq-all",
          "product": "Apache ActiveMQ All Module",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "5.19.2",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "6.1.9",
              "status": "affected",
              "version": "6.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "6.2.1",
              "status": "affected",
              "version": "6.2.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "org.apache.activemq:activemq-mqtt",
          "product": "Apache ActiveMQ MQTT Module",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "5.19.2",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "6.1.9",
              "status": "affected",
              "version": "6.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "6.2.1",
              "status": "affected",
              "version": "6.2.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Gai Tanaka \u003c641.work123@gmail.com\u003e"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eApache ActiveMQ does not properly validate the remaining length field which may lead to an overflow during the decoding of malformed packets.\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eWhen this integer overflow occurs, ActiveMQ may incorrectly compute the total Remaining Length and subsequently misinterpret the payload as multiple MQTT control packets which makes\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;the broker susceptible to unexpected behavior when interacting with non-compliant clients.\u003c/span\u003e\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThis behavior violates the MQTT v3.1.1 specification, which restricts Remaining Length to a maximum of 4 bytes.\u003c/span\u003e\u0026nbsp;The scenario occurs on established connections after the authentication process. Brokers that are not enabling mqtt transport connectors are not impacted.\u003c/p\u003e\u003cp\u003eThis issue affects Apache ActiveMQ: before 5.19.2, 6.0.0 to 6.1.8, and 6.2.0\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 5.19.2, 6.1.9, or 6.2.1, which fixes the issue.\u003c/p\u003e"
            }
          ],
          "value": "Apache ActiveMQ does not properly validate the remaining length field which may lead to an overflow during the decoding of malformed packets.\u00a0When this integer overflow occurs, ActiveMQ may incorrectly compute the total Remaining Length and subsequently misinterpret the payload as multiple MQTT control packets which makes\u00a0the broker susceptible to unexpected behavior when interacting with non-compliant clients.\u00a0This behavior violates the MQTT v3.1.1 specification, which restricts Remaining Length to a maximum of 4 bytes.\u00a0The scenario occurs on established connections after the authentication process. Brokers that are not enabling mqtt transport connectors are not impacted.\n\nThis issue affects Apache ActiveMQ: before 5.19.2, 6.0.0 to 6.1.8, and 6.2.0\n\nUsers are recommended to upgrade to version 5.19.2, 6.1.9, or 6.2.1, which fixes the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:F/RL:O/RC:C"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-190",
              "description": "CWE-190 Integer Overflow or Wraparound",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-04T08:45:00.932Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/13n8mkrb2jf2y6yyhpgrkmpqcm7djyto"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache ActiveMQ, Apache ActiveMQ All Module, Apache ActiveMQ MQTT Module: MQTT control packet remaining length field is not properly validated",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2025-66168",
    "datePublished": "2026-03-04T08:45:00.932Z",
    "dateReserved": "2025-11-21T20:44:42.659Z",
    "dateUpdated": "2026-03-04T20:28:45.825Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2026-0591

CVE-2026-27446 (GCVE-0-2026-27446)

CVE-2025-66168 (GCVE-0-2025-66168)

Tags

Sightings

Nomenclature