CVE-2026-54475 | Missing Authorization vulnerability in Apache ActiveMQ Broke…

Description

Missing Authorization vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. Apache ActiveMQ Classic temporary destinations are expected to be isolated to the connection that created them. The isolation can be broken as this is only checked in the client, allowing a different connection to consume from another connection's temporary destination. This issue affects Apache ActiveMQ Broker: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7. Users are recommended to upgrade to version 6.2.7, which fixes the issue.

Metadata

CVE ID: CVE-2026-54475
State: PUBLISHED
Assigner: apache
Reserved: 2026-06-15 16:52 UTC
Published: 2026-06-30 09:48 UTC
Last updated: 2026-06-30 11:06 UTC
Primary CWE: CWE-862
CWE-862 Missing Authorization
Vendor / Product: Apache Software Foundation / Apache ActiveMQ Broker
Sources: cve.org · NVD

Severity & Metrics

No CVSS data available.

Affected products (3)

Vendor	Product	Platform	Versions
Apache Software Foundation	Apache ActiveMQ	—	0 < 5.19.8, 6.0.0 < 6.2.7
Apache Software Foundation	Apache ActiveMQ All	—	0 < 5.19.8, 6.0.0 < 6.2.7
Apache Software Foundation	Apache ActiveMQ Broker	—	0 < 5.19.8, 6.0.0 < 6.2.7

Weakness (CWE)

CWE	Source	Description
CWE-862	cna	CWE-862 Missing Authorization

References (1)

https://lists.apache.org/thread/85f3q7mkh71y7qwyn6wvgw0bw4jl06ys