Apache ActiveMQ Improper Auth: /admin/* exposed before 5.19.8 & 6.2.7
CVE-2026-49877 Published on June 30, 2026
Apache ActiveMQ: Authenticated web users retain admin access by default in the Web Console
Improper Authorization vulnerability in Apache ActiveMQ.
An authenticated low-privilege Web Console user by default can access /admin/* paths in the Web Console. The default Jetty settings incorrectly did not limit those paths to only admins.
This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7.
Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.
Vulnerability Analysis
CVE-2026-49877 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.
Weakness Type
What is an AuthZ Vulnerability?
The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CVE-2026-49877 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2026-49877
Want to know whenever a new CVE is published for Apache ActiveMQ? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache ActiveMQ:- Before 5.19.8 is affected.
- Version 6.0.0 and below 6.2.7 is affected.