Vulnerability Details CVE-2026-49877
Improper Authorization vulnerability in Apache ActiveMQ.
An authenticated low-privilege Web Console user by default can access /admin/* paths in the Web Console. The default Jetty settings incorrectly did not limit those paths to only admins.
This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7.
Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.005
EPSS Ranking 39.7%
CVSS Severity
CVSS v3 Score 8.1
Products affected by CVE-2026-49877
-
cpe:2.3:a:apache:activemq:-
-
cpe:2.3:a:apache:activemq:4.0
-
cpe:2.3:a:apache:activemq:4.0.1
-
cpe:2.3:a:apache:activemq:4.0.2
-
cpe:2.3:a:apache:activemq:4.1.0
-
cpe:2.3:a:apache:activemq:4.1.1
-
cpe:2.3:a:apache:activemq:4.1.2
-
cpe:2.3:a:apache:activemq:5.0.0
-
cpe:2.3:a:apache:activemq:5.1.0
-
cpe:2.3:a:apache:activemq:5.10.0
-
cpe:2.3:a:apache:activemq:5.10.1
-
cpe:2.3:a:apache:activemq:5.10.2
-
cpe:2.3:a:apache:activemq:5.11.0
-
cpe:2.3:a:apache:activemq:5.11.1
-
cpe:2.3:a:apache:activemq:5.11.2
-
cpe:2.3:a:apache:activemq:5.11.3
-
cpe:2.3:a:apache:activemq:5.12.0
-
cpe:2.3:a:apache:activemq:5.12.1
-
cpe:2.3:a:apache:activemq:5.12.2
-
cpe:2.3:a:apache:activemq:5.12.3
-
cpe:2.3:a:apache:activemq:5.13.0
-
cpe:2.3:a:apache:activemq:5.13.1
-
cpe:2.3:a:apache:activemq:5.13.2
-
cpe:2.3:a:apache:activemq:5.13.3
-
cpe:2.3:a:apache:activemq:5.13.4
-
cpe:2.3:a:apache:activemq:5.13.5
-
cpe:2.3:a:apache:activemq:5.14.0
-
cpe:2.3:a:apache:activemq:5.14.1
-
cpe:2.3:a:apache:activemq:5.14.2
-
cpe:2.3:a:apache:activemq:5.14.3
-
cpe:2.3:a:apache:activemq:5.14.4
-
cpe:2.3:a:apache:activemq:5.14.5
-
cpe:2.3:a:apache:activemq:5.15.0
-
cpe:2.3:a:apache:activemq:5.15.1
-
cpe:2.3:a:apache:activemq:5.15.10
-
cpe:2.3:a:apache:activemq:5.15.11
-
cpe:2.3:a:apache:activemq:5.15.12
-
cpe:2.3:a:apache:activemq:5.15.13
-
cpe:2.3:a:apache:activemq:5.15.14
-
cpe:2.3:a:apache:activemq:5.15.15
-
cpe:2.3:a:apache:activemq:5.15.16
-
cpe:2.3:a:apache:activemq:5.15.2
-
cpe:2.3:a:apache:activemq:5.15.3
-
cpe:2.3:a:apache:activemq:5.15.4
-
cpe:2.3:a:apache:activemq:5.15.5
-
cpe:2.3:a:apache:activemq:5.15.6
-
cpe:2.3:a:apache:activemq:5.15.7
-
cpe:2.3:a:apache:activemq:5.15.8
-
cpe:2.3:a:apache:activemq:5.15.9
-
cpe:2.3:a:apache:activemq:5.16.0
-
cpe:2.3:a:apache:activemq:5.16.1
-
cpe:2.3:a:apache:activemq:5.16.2
-
cpe:2.3:a:apache:activemq:5.16.3
-
cpe:2.3:a:apache:activemq:5.16.4
-
cpe:2.3:a:apache:activemq:5.16.5
-
cpe:2.3:a:apache:activemq:5.16.6
-
cpe:2.3:a:apache:activemq:5.16.7
-
cpe:2.3:a:apache:activemq:5.16.8
-
cpe:2.3:a:apache:activemq:5.17.0
-
cpe:2.3:a:apache:activemq:5.17.1
-
cpe:2.3:a:apache:activemq:5.17.2
-
cpe:2.3:a:apache:activemq:5.17.3
-
cpe:2.3:a:apache:activemq:5.17.4
-
cpe:2.3:a:apache:activemq:5.17.5
-
cpe:2.3:a:apache:activemq:5.17.6
-
cpe:2.3:a:apache:activemq:5.17.7
-
cpe:2.3:a:apache:activemq:5.18.0
-
cpe:2.3:a:apache:activemq:5.18.1
-
cpe:2.3:a:apache:activemq:5.18.2
-
cpe:2.3:a:apache:activemq:5.18.3
-
cpe:2.3:a:apache:activemq:5.18.4
-
cpe:2.3:a:apache:activemq:5.18.5
-
cpe:2.3:a:apache:activemq:5.18.6
-
cpe:2.3:a:apache:activemq:5.18.7
-
cpe:2.3:a:apache:activemq:5.19.0
-
cpe:2.3:a:apache:activemq:5.19.2
-
cpe:2.3:a:apache:activemq:5.19.3
-
cpe:2.3:a:apache:activemq:5.19.4
-
cpe:2.3:a:apache:activemq:5.19.6
-
cpe:2.3:a:apache:activemq:5.19.7
-
cpe:2.3:a:apache:activemq:5.2.0
-
cpe:2.3:a:apache:activemq:5.3.0
-
cpe:2.3:a:apache:activemq:5.3.1
-
cpe:2.3:a:apache:activemq:5.3.2
-
cpe:2.3:a:apache:activemq:5.4.0
-
cpe:2.3:a:apache:activemq:5.4.1
-
cpe:2.3:a:apache:activemq:5.4.2
-
cpe:2.3:a:apache:activemq:5.4.3
-
cpe:2.3:a:apache:activemq:5.5.0
-
cpe:2.3:a:apache:activemq:5.5.1
-
cpe:2.3:a:apache:activemq:5.6.0
-
cpe:2.3:a:apache:activemq:5.7.0
-
cpe:2.3:a:apache:activemq:5.8.0
-
cpe:2.3:a:apache:activemq:5.9.0
-
cpe:2.3:a:apache:activemq:5.9.1
-
cpe:2.3:a:apache:activemq:6.0.0
-
cpe:2.3:a:apache:activemq:6.0.1
-
cpe:2.3:a:apache:activemq:6.1.0
-
cpe:2.3:a:apache:activemq:6.1.1
-
cpe:2.3:a:apache:activemq:6.1.2
-
cpe:2.3:a:apache:activemq:6.1.3
-
cpe:2.3:a:apache:activemq:6.1.4
-
cpe:2.3:a:apache:activemq:6.1.5
-
cpe:2.3:a:apache:activemq:6.1.6
-
cpe:2.3:a:apache:activemq:6.1.7
-
cpe:2.3:a:apache:activemq:6.1.8
-
cpe:2.3:a:apache:activemq:6.1.9
-
cpe:2.3:a:apache:activemq:6.2.0
-
cpe:2.3:a:apache:activemq:6.2.2
-
cpe:2.3:a:apache:activemq:6.2.3
-
cpe:2.3:a:apache:activemq:6.2.4
-
cpe:2.3:a:apache:activemq:6.2.5
-
cpe:2.3:a:apache:activemq:6.2.6