Apache ActiveMQ server has an incomplete authorization workflow
Moderate severity
GitHub Reviewed
Published
Jun 1, 2026
to the GitHub Advisory Database
•
Updated Jul 9, 2026
Package
Affected versions
< 5.19.7
>= 6.0.0, < 6.2.6
Patched versions
5.19.7
6.2.6
Description
Published by the National Vulnerability Database
Jun 1, 2026
Published to the GitHub Advisory Database
Jun 1, 2026
Reviewed
Jul 9, 2026
Last updated
Jul 9, 2026
Incomplete authorization by Apache ActiveMQ server before versions v6.2.6 and v5.19.7 allows authenticated connections to remove existing destinations with proper permissions.
This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6.
Users are recommended to upgrade to version v6.2.6 or v5.19.7, which fixes the issue.
References