CVE-2026-49157 Apache ActiveMQ: Authenticated low-privilege Web users retain Jolokia broker-management capability by default

🗓️ 01 Jun 2026 07:20:10Reported by apacheType

Low-privilege web users can access Jolokia in ActiveMQ due to default permissions; fix in 5.19.7 and 6.2.6.

Reporter	Title	Published	Views	Family All 21
Tenable Nessus	Apache ActiveMQ < 5.19.7 / 6.x < 6.2.6 Multiple Vulnerabilities	4 Jun 202600:00	–	nessus
Tenable Nessus	Linux Distros Unpatched Vulnerability : CVE-2026-49157	2 Jun 202600:00	–	nessus
ATTACKERKB	CVE-2026-49157	1 Jun 202607:20	–	attackerkb
Circl	CVE-2026-49157	31 May 202617:58	–	circl
CNNVD	Apache ActiveMQ 安全漏洞	1 Jun 202600:00	–	cnnvd
CVE	CVE-2026-49157	1 Jun 202607:20	–	cve
Debian CVE	CVE-2026-49157	1 Jun 202607:20	–	debiancve
EUVD	EUVD-2026-33574	1 Jun 202607:20	–	euvd
NVD	CVE-2026-49157	1 Jun 202609:16	–	nvd
OSV	BIT-ACTIVEMQ-2026-49157 Apache ActiveMQ: Authenticated low-privilege Web users retain Jolokia broker-management capability by default	5 Jun 202605:38	–	osv

[
  {
    "collectionURL": "https://repo.maven.apache.org/maven2",
    "defaultStatus": "unaffected",
    "packageName": "org.apache.activemq:apache-activemq",
    "product": "Apache ActiveMQ",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThan": "5.19.7",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      },
      {
        "lessThan": "6.2.6",
        "status": "affected",
        "version": "6.0.0",
        "versionType": "semver"
      }
    ]
  }
]

Source	Link
lists	www.lists.apache.org/thread/rrcsf6s90hj4tdh89nvkko75q5505rj8

01 Jun 2026 07:20Current

EPSS0.00373

CWE-276