CVE-2026-27446: CWE-306 Missing Authentication for Critical Function in Apache Software Foundation Apache Artemis
Missing Authentication for Critical Function (CWE-306) vulnerability in Apache Artemis, Apache ActiveMQ Artemis. An unauthenticated remote attacker can use the Core protocol to force a target broker to establish an outbound Core federation connection to an attacker-controlled rogue broker. This could potentially result in message injection into any queue and/or message exfiltration from any queue via the rogue broker. This impacts environments that allow both: - incoming Core protocol connections from untrusted sources to the broker - outgoing Core protocol connections from the broker to untrusted targets This issue affects: - Apache Artemis from 2.50.0 through 2.51.0 - Apache ActiveMQ Artemis from 2.11.0 through 2.44.0. Users are recommended to upgrade to Apache Artemis version 2.52.0, which fixes the issue. The issue can be mitigated by one of the following: - Remove Core protocol support from any acceptor receiving connections from untrusted sources. Incoming Core protocol connections are supported by default via the "artemis" acceptor listening on port 61616. See the "protocols" URL parameter configured for the acceptor. An acceptor URL without this parameter supports all protocols by default, including Core. - Use two-way SSL (i.e. certificate-based authentication) in order to force every client to present the proper SSL certificate when establishing a connection before any message protocol handshake is attempted. This will prevent unauthenticated exploitation of this vulnerability. - Implement and deploy a Core interceptor to deny all Core downstream federation connect packets. Such packets have a type of (int) -16 or (byte) 0xfffffff0. Documentation for interceptors is available at https://artemis.apache.org/components/artemis/documentation/latest/intercepting-operations.html .
AI Analysis
Technical Summary
CVE-2026-27446 is a CWE-306 Missing Authentication for Critical Function vulnerability in Apache Artemis and Apache ActiveMQ Artemis. It allows unauthenticated remote attackers to abuse the Core protocol to coerce a broker into creating outbound federation connections to attacker-controlled brokers. This can lead to unauthorized message injection or exfiltration from any queue. The vulnerability impacts Apache Artemis versions 2.50.0 through 2.51.0 and Apache ActiveMQ Artemis versions 2.11.0 through 2.44.0. The issue arises when brokers accept incoming Core protocol connections from untrusted sources and permit outgoing Core protocol connections to untrusted targets. The vendor recommends upgrading to Apache Artemis 2.52.0, which addresses the vulnerability. Alternative mitigations include disabling Core protocol support on acceptors exposed to untrusted sources, enforcing two-way SSL client authentication, or implementing Core interceptors to block federation connect packets.
Potential Impact
An unauthenticated remote attacker can exploit this vulnerability to force a broker to establish outbound connections to a malicious broker, potentially allowing message injection into or exfiltration from any queue. This compromises the confidentiality and integrity of messaging queues in affected Apache Artemis and Apache ActiveMQ Artemis versions. The CVSS 4.0 base score is 9.3 (critical), reflecting network attack vector, no required privileges or user interaction, and high impact on confidentiality and integrity.
Mitigation Recommendations
A fix is available in Apache Artemis version 2.52.0; users should upgrade to this version to remediate the vulnerability. If upgrading is not immediately possible, mitigations include: removing Core protocol support from acceptors that receive connections from untrusted sources (e.g., by configuring the 'protocols' parameter to exclude Core), enforcing two-way SSL (certificate-based authentication) to require clients to present valid certificates before protocol handshake, and deploying a Core interceptor to deny all Core downstream federation connect packets. These mitigations prevent unauthenticated exploitation of the vulnerability.
CVE-2026-27446: CWE-306 Missing Authentication for Critical Function in Apache Software Foundation Apache Artemis
Description
Missing Authentication for Critical Function (CWE-306) vulnerability in Apache Artemis, Apache ActiveMQ Artemis. An unauthenticated remote attacker can use the Core protocol to force a target broker to establish an outbound Core federation connection to an attacker-controlled rogue broker. This could potentially result in message injection into any queue and/or message exfiltration from any queue via the rogue broker. This impacts environments that allow both: - incoming Core protocol connections from untrusted sources to the broker - outgoing Core protocol connections from the broker to untrusted targets This issue affects: - Apache Artemis from 2.50.0 through 2.51.0 - Apache ActiveMQ Artemis from 2.11.0 through 2.44.0. Users are recommended to upgrade to Apache Artemis version 2.52.0, which fixes the issue. The issue can be mitigated by one of the following: - Remove Core protocol support from any acceptor receiving connections from untrusted sources. Incoming Core protocol connections are supported by default via the "artemis" acceptor listening on port 61616. See the "protocols" URL parameter configured for the acceptor. An acceptor URL without this parameter supports all protocols by default, including Core. - Use two-way SSL (i.e. certificate-based authentication) in order to force every client to present the proper SSL certificate when establishing a connection before any message protocol handshake is attempted. This will prevent unauthenticated exploitation of this vulnerability. - Implement and deploy a Core interceptor to deny all Core downstream federation connect packets. Such packets have a type of (int) -16 or (byte) 0xfffffff0. Documentation for interceptors is available at https://artemis.apache.org/components/artemis/documentation/latest/intercepting-operations.html .
CVSS v4.0
Score 9.3critical
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-27446 is a CWE-306 Missing Authentication for Critical Function vulnerability in Apache Artemis and Apache ActiveMQ Artemis. It allows unauthenticated remote attackers to abuse the Core protocol to coerce a broker into creating outbound federation connections to attacker-controlled brokers. This can lead to unauthorized message injection or exfiltration from any queue. The vulnerability impacts Apache Artemis versions 2.50.0 through 2.51.0 and Apache ActiveMQ Artemis versions 2.11.0 through 2.44.0. The issue arises when brokers accept incoming Core protocol connections from untrusted sources and permit outgoing Core protocol connections to untrusted targets. The vendor recommends upgrading to Apache Artemis 2.52.0, which addresses the vulnerability. Alternative mitigations include disabling Core protocol support on acceptors exposed to untrusted sources, enforcing two-way SSL client authentication, or implementing Core interceptors to block federation connect packets.
Potential Impact
An unauthenticated remote attacker can exploit this vulnerability to force a broker to establish outbound connections to a malicious broker, potentially allowing message injection into or exfiltration from any queue. This compromises the confidentiality and integrity of messaging queues in affected Apache Artemis and Apache ActiveMQ Artemis versions. The CVSS 4.0 base score is 9.3 (critical), reflecting network attack vector, no required privileges or user interaction, and high impact on confidentiality and integrity.
Mitigation Recommendations
A fix is available in Apache Artemis version 2.52.0; users should upgrade to this version to remediate the vulnerability. If upgrading is not immediately possible, mitigations include: removing Core protocol support from acceptors that receive connections from untrusted sources (e.g., by configuring the 'protocols' parameter to exclude Core), enforcing two-way SSL (certificate-based authentication) to require clients to present valid certificates before protocol handshake, and deploying a Core interceptor to deny all Core downstream federation connect packets. These mitigations prevent unauthenticated exploitation of the vulnerability.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2026-02-19T16:10:53.921Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69a7f558d1a09e29cb1e3730
Added to database: 3/4/2026, 9:03:20 AM
Last enriched: 5/13/2026, 2:39:41 AM
Last updated: 5/30/2026, 2:25:22 PM
Views: 1105
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.