Activemq Artemis Security Vulnerabilities and Issues — Activemq Artemis CVE List

ApacheActivemq Artemis

15 matches found

CVE•added 2025/04/01 7:26 a.m.•1085 views

CVE-2025-27427

CVE-2025-27427 affects Apache ActiveMQ Artemis 2.0.0–2.39.0. A user with createDurableQueue or createNonDurableQueue permissions can augment the routing-type of an address without createAddress permission, and with send permission plus automatic queue creation could send messages using a routing-...

4.3CVSS7AI score0.00358EPSS

CVE•added 2022/02/04 10:33 p.m.•311 views

CVE-2022-23913

CVE-2022-23913 affects Apache ActiveMQ Artemis, specifically versions prior to 2.20.0 or 2.19.1. The issue allows an attacker to partially disrupt availability (DoS) through uncontrolled memory/resource consumption. This conclusion is drawn from the CVE entry and the IBM security bulletin that li...

7.5CVSS8.4AI score0.00894EPSS

CVE•added 2021/01/27 12:0 a.m.•203 views

CVE-2021-26117

CVE-2021-26117 describes an LDAP authentication weakness in the optional ActiveMQ LDAP login module where anonymous access can bypass password verification. Connected sources confirm affected lines: Apache ActiveMQ Artemis prior to 2.16.0 and Apache ActiveMQ prior to 5.16.1 and 5.15.14. Debian/Ub...

7.5CVSS7.5AI score0.09941EPSS

CVE•added 2018/03/07 10:0 p.m.•152 views

CVE-2017-12174

CVE-2017-12174 affects Artemis and HornetQ when configured with UDP discovery and JGroups discovery; a huge byte array is created upon receiving an unexpected multicast message, leading to heap memory exhaustion, full GC, or OutOfMemoryError. The OSV/Nessus Red Hat advisories summarize this as pa...

7.8CVSS7.4AI score0.07405EPSS

CVE•added 2022/08/23 12:0 a.m.•143 views

CVE-2022-35278

CVE-2022-35278 affects Apache ActiveMQ Artemis before 2.24.0, where HTML in the name of an address/queue can inject HTML into the web console, potentially showing malicious content or redirecting users. Red Hat AMQ Broker advisories confirm a fix in 2.24.0+ (and related advisories list the CVE). ...

6.1CVSS6.2AI score0.07865EPSS

CVE•added 2020/06/26 3:38 p.m.•138 views

CVE-2020-10727

CVE-2020-10727 affects ActiveMQ Artemis management API from version 2.7.0 up to 2.12.0. The root cause is that during the resetUsers operation, passwords are stored in plaintext in the Artemis shadow file (etc/artemis-users.properties), enabling a local attacker to read the shadow file contents. ...

5.5CVSS5AI score0.00075EPSS

CVE•added 2021/01/27 6:55 p.m.•137 views

CVE-2021-26118

The CVE-2021-26118 issue affects Apache ActiveMQ Artemis 2.15.0, where the OpenWire protocol head can produce advisory messages outside policy-based access control for the entire session, bypassing session-wide ACL protection. The root cause is improper access control enforcement during advisory ...

7.5CVSS7.5AI score0.0101EPSS

CVE•added 2016/09/27 3:0 p.m.•134 views

CVE-2016-4978

CVE-2016-4978 affects Apache ActiveMQ Artemis (JMS ObjectMessage getObject) where deserialization of untrusted input can occur via gadget classes on Artemis classpath. Affected components include the JMS Core client, Artemis broker, and Artemis REST component in Artemis before 1.4.0. Successful e...

7.2CVSS7.5AI score0.0136EPSS

CVE•added 2020/07/20 9:8 p.m.•100 views

CVE-2020-13932

Summary: CVE-2020-13932 concerns Apache ActiveMQ Artemis 2.5.0–2.13.0 where a specially crafted MQTT packet carrying an XSS payload in the client-id or topic name can be injected into the admin console’s browser via the diagram plugin, affecting the diagram plugin, queue node, and info section in...

6.1CVSS5.8AI score0.02552EPSS

CVE•added 2022/08/24 3:13 p.m.•93 views

CVE-2021-4040

CVE-2021-4040 affects AMQ Broker / Red Hat AMQ Broker where a malformed message can trigger an Out-of-Memory condition, partially disrupting availability. The issue is cited in multiple sources (e.g., GHSA advisory and RHSA-2022:5101) describing a partial DoS via OOM without full compromise. Red ...

5.3CVSS4.8AI score0.04235EPSS

CVE•added 2025/04/09 2:42 p.m.•70 views

CVE-2025-27391

CVE-2025-27391 affects Apache ActiveMQ Artemis. When debug logging is enabled for the broker, the system logs all broker property values via the ConfigurationImpl logger, potentially exposing sensitive information. Affected versions are from 1.5.1 up to (but not including) 2.40.0. Impact is expos...

6.8CVSS6.5AI score0.00164EPSS

CVE•added 2024/10/14 4:3 p.m.•59 views

CVE-2023-50780

Apache ActiveMQ Artemis suffers a vulnerability where diagnostic MBeans (including the Log4J2 MBean) are exposed through the Jolokia endpoint, accessible to authenticated users. Before version 2.29.0 this exposure could allow an authenticated attacker to write arbitrary files to the filesystem an...

8.8CVSS8.6AI score0.02092EPSS

CVE•added 2026/03/04 8:48 a.m.•50 views

CVE-2026-27446

CVE-2026-27446 affects Apache Artemis and Apache ActiveMQ Artemis. The vulnerability enables an unauthenticated remote attacker to force a target broker to establish an outbound Core federation connection to an attacker-controlled rogue broker, potentially allowing message injection into any queu...

9.8CVSS5.9AI score0.00156EPSS

CVE•added 2026/05/28 12:28 p.m.•17 views

CVE-2026-40914

CVE-2026-40914 describes a vulnerability in Apache Artemis (and Apache ActiveMQ Artemis) where a STOMP-authenticated user with either consume or send permission on an address can augment the address routing-type without having createAddress permission for that address. This allows sending or cons...

4.3CVSS5.8AI score0.00138EPSS

CVE•added 2026/03/24 7:53 a.m.•9 views

CVE-2026-32642

CVE-2026-32642 is an authorization bypass in Apache Artemis/ActiveMQ Artemis OpenWire handling: when an authenticated user with createDurableQueue but without createAddress attempts to create a non-durable JMS topic subscription on a non-existent address and address auto-creation is disabled, a t...

4.3CVSS5.8AI score0.00029EPSS