Pekko Management insecure Basic Auth before v1.1.1 (no authenticator)
CVE-2025-46548 Published on June 3, 2025
Apache Pekko Management, Apache Pekko Management, Apache Pekko Management, Akka Management, Akka Management, Akka Management: management API basic authentication is not effective
If you enable Basic Authentication in Pekko Management using the Java DSL, the authenticator may not be properly applied.
Users that rely on authentication instead of making sure the Management API ports are only available to trusted users are recommended to upgrade to version 1.1.1, which fixes this issue.
Akka was affected by the same issue and has released the fix in version 1.6.1.
Vulnerability Analysis
CVE-2025-46548 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.
Weakness Type
What is an authentification Vulnerability?
When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.
CVE-2025-46548 has been classified to as an authentification vulnerability or weakness.
Products Associated with CVE-2025-46548
stack.watch emails you whenever new vulnerabilities are published in Apache Pekko Management or Akka Management. Just hit a watch button to start following.
Affected Versions
Apache Software Foundation Apache Pekko Management:- Version 1.0.0 and below 1.1.1 is affected.
- Version 1.0.0 and below 1.1.1 is affected.
- Version 1.0.0 and below 1.1.1 is affected.
- Before 1.6.1 is affected.
- Before 1.6.1 is affected.
- Before 1.6.1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.