Authentication Bypass in Apache Artemis Core Downstream Federation (CVE-2026-27446)
CVE-2026-27446 is a critical missing authentication for a critical function (CWE-306) in Apache Artemis and Apache ActiveMQ Artemis that enables an unauthenticated remote attacker to abuse the Core protocol to force a target broker to establish an outbound Core downstream federation connection to an attacker-controlled rogue broker. If successful, the attacker can inject arbitrary messages into any queue and/or exfiltrate messages from any queue via the rogue broker, particularly in environments that allow incoming Core protocol connections from untrusted sources and outgoing Core protocol connections to untrusted destinations.
Impacted versions include Apache Artemis 2.50.0–2.51.0 and Apache ActiveMQ Artemis 2.11.0–2.44.0; upgrading to Apache Artemis 2.52.0 is recommended to remediate. Mitigations include removing Core protocol support from untrusted-facing acceptors (notably the default artemis acceptor on port 61616 if configured to allow Core) or enforcing two-way TLS (mTLS) to require certificate-based client authentication before protocol negotiation. The Centre for Cybersecurity Belgium highlighted the high severity (reported as CVSS 9.3) and noted no vendor warning of active exploitation as of early March 2026, while emphasizing that ActiveMQ-family products have been repeatedly targeted historically for follow-on activity such as ransomware deployment.
Timeline
Mar 5, 2026
Belgium CCB issues public warning to patch CVE-2026-27446
The Belgian Centre for Cybersecurity published an advisory warning that the authentication bypass vulnerability affecting Apache Artemis and Apache ActiveMQ Artemis could lead to message injection and exfiltration. The notice urged organizations to patch immediately.
Mar 4, 2026
Apache recommends upgrading to Artemis 2.52.0 and applying mitigations
Apache advised affected users to upgrade to Apache Artemis 2.52.0 to address the vulnerability. It also documented mitigations such as disabling the Core protocol on untrusted-facing acceptors or enforcing mutual TLS with client certificates before protocol handshake.
Mar 4, 2026
Apache discloses CVE-2026-27446 in Artemis and ActiveMQ Artemis
A missing-authentication flaw in the Core downstream federation feature was disclosed as CVE-2026-27446, allowing an unauthenticated remote attacker to coerce a broker into creating an outbound federation connection to a rogue broker. The issue can enable message injection or exfiltration from queues in affected deployments that accept untrusted incoming Core connections and allow untrusted outgoing Core connections.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Malware
Sources
Related Stories
Apache ActiveMQ and Artemis Flaws Enable Security Bypass and Multiple Attacks
German authorities issued advisories for **Apache ActiveMQ Artemis** and **Apache ActiveMQ Classic** components after disclosing vulnerabilities that affect the broker, client, and web interfaces. One advisory warns that a flaw in **Apache ActiveMQ Artemis** can allow attackers to **bypass security measures**, raising the risk of unauthorized access or actions within affected messaging environments. A separate advisory reports **multiple vulnerabilities** in **Apache ActiveMQ** across the **Client, Broker, and Web** components, indicating broader exposure for organizations using the messaging platform in enterprise integrations and application back ends. The notices identify the affected Apache messaging products as requiring prompt review and remediation to reduce the risk of compromise in systems that rely on ActiveMQ services.
1 weeks ago
Apache ActiveMQ Flaws Enable Path Traversal and TLS DoS
Apache disclosed two vulnerabilities affecting multiple **ActiveMQ** components, including Client, Broker, and bundled distributions. **CVE-2026-33227** is a low-severity pathname restriction flaw that lets an authenticated user manipulate a supplied `key` value to traverse the classpath in two cases: when creating a **STOMP** consumer and when browsing messages through the web console. Apache warned the issue could expose classpath resource loading and potentially be chained with another attack. The flaw affects the 5.x branch before **5.19.3** and the 6.x branch from **6.0.0** before **6.2.2**, but Apache said those initial fixes were incomplete on Windows because of path separator handling, and recommended upgrading instead to **5.19.4** or **6.2.3**. Apache also published **CVE-2026-39304**, an important denial-of-service flaw in ActiveMQ's **NIO SSL transports** caused by incorrect handling of **TLS 1.3 `KeyUpdate`** messages. A client can repeatedly trigger updates and exhaust broker memory in the SSL engine, causing out-of-memory crashes and service disruption. Apache added that related handshake handling is also broken for earlier TLS versions such as **TLS 1.2**, though those cases lead to hung connections rather than memory exhaustion. The DoS issue affects the 5.x branch before **5.19.4** and the 6.x branch from **6.0.0** before **6.2.4**; users are advised to upgrade to **5.19.5** or **6.2.4**.
3 weeks ago
Critical RCE Vulnerability in Apache ActiveMQ NMS AMQP Client
A critical remote code execution (RCE) vulnerability, identified as CVE-2025-54539, has been discovered in the Apache ActiveMQ NMS AMQP Client. This flaw is rated with a CVSS 3.1 score of 9.8, indicating its severe impact and ease of exploitation. The vulnerability arises from the deserialization of untrusted data within the NMS AMQP Client component, which can allow attackers to execute arbitrary code on the server. Security researchers have confirmed that successful exploitation of this vulnerability could lead to full server-side code execution, potentially granting attackers complete control over affected systems. The issue specifically affects deployments using the NMS AMQP Client, a component commonly integrated into enterprise messaging infrastructures. Organizations relying on Apache ActiveMQ for message brokering are at heightened risk if they utilize the vulnerable client library. The vulnerability can be exploited remotely, requiring no prior authentication, which significantly increases the attack surface and urgency for remediation. Security advisories recommend immediate patching or mitigation to prevent exploitation in the wild. The flaw was publicly disclosed on October 16, 2025, prompting rapid response from the Apache ActiveMQ development team and the broader security community. No reports of active exploitation have been confirmed at the time of disclosure, but the critical nature of the bug has led to widespread concern among enterprise users. Technical analysis indicates that the vulnerability stems from improper handling of serialized objects received over the AMQP protocol. Attackers can craft malicious payloads that, when processed by the vulnerable client, trigger arbitrary code execution. The Apache Software Foundation has released updated versions of the NMS AMQP Client to address the issue and urges all users to upgrade immediately. Security experts highlight the importance of reviewing all systems for the presence of the affected library and applying compensating controls where patching is not immediately feasible. The vulnerability underscores the ongoing risks associated with deserialization flaws in widely used open-source components. Organizations are advised to monitor for indicators of compromise and to review their application architectures for similar risks. The incident serves as a reminder of the critical need for secure coding practices and regular vulnerability management in enterprise environments.
1 months ago