CVE-2026-49877

HIGH

Apache ActiveMQ: Authenticated web users retain admin access by default in the Web Console

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-49877. PoCs published by HermesNA-1.

AI-analyzed exploit summary This repository contains an auto-generated stub module for CVE-2026-49877, an improper authorization vulnerability in Apache ActiveMQ's Web Console. The code includes placeholder logic for probing a target but lacks actual exploit implementation or technical details about the vulnerability mechanics.

Description

Improper Authorization vulnerability in Apache ActiveMQ. An authenticated low-privilege Web Console user by default can access /admin/* paths in the Web Console. The default Jetty settings incorrectly did not limit those paths to only admins. This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7. Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.

Exploits (1)

github STUB 1 stars
by HermesNA-1 · pythonpoc
https://github.com/HermesNA-1/SnakeSploit/tree/main/data/modules_generated/cve-2026-49877_improper_authorization_vulnerability.py

This repository contains an auto-generated stub module for CVE-2026-49877, an improper authorization vulnerability in Apache ActiveMQ's Web Console. The code includes placeholder logic for probing a target but lacks actual exploit implementation or technical details about the vulnerability mechanics.

Classification
Stub 99%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Theoretical
Target: Apache ActiveMQ (Web Console)
Auth required
Prerequisites: Authenticated low-privilege Web Console access · Target running vulnerable Apache ActiveMQ version
mistral-large-3 · analyzed Jul 09, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 8.1
EPSS 0.0051
EPSS Percentile 39.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-285
Status published
Products (3)
apache/activemq < 5.19.8
Apache Software Foundation/Apache ActiveMQ < 5.19.8
Apache Software Foundation/Apache ActiveMQ 6.0.0 - 6.2.7
Published Jun 30, 2026
Tracked Since Jun 30, 2026