Apache ActiveMQ Jolokia Permission Escalation (5.19.6, <6.2.6): CVE-2026-49157 June 2026

Apache ActiveMQ Jolokia Permission Escalation (5.19.6, <6.2.6)
CVE-2026-49157 Published on June 1, 2026

Apache ActiveMQ: Authenticated low-privilege Web users retain Jolokia broker-management capability by default
Incorrect Default Permissions vulnerability in Apache ActiveMQ. This issue affects Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6. The default Jolokia authorization settings granted non-admin (low-privilege) web-login accounts access to Jolokia operations which allowed executing broker management operations meant for admins such as addQueue and removeQueue. Users are recommended to upgrade to version 6.2.6 or 5.19.7, which fixes the issue.

Weakness Type

Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

Products Associated with CVE-2026-49157

Want to know whenever a new CVE is published for Apache ActiveMQ? stack.watch will email you.

Affected Versions

Before 5.19.7 is affected.

Version 6.0.0 and below 6.2.6 is affected.

Apache ActiveMQ Jolokia Permission Escalation (5.19.6, <6.2.6)CVE-2026-49157 Published on June 1, 2026

Weakness Type

Incorrect Default Permissions

Products Associated with CVE-2026-49157

Affected Versions

Apache ActiveMQ Jolokia Permission Escalation (5.19.6, <6.2.6)
CVE-2026-49157 Published on June 1, 2026