CVE-2026-32642 is a security vulnerability classified under CWE-863 (Incorrect Authorization) affecting Apache Artemis and Apache ActiveMQ Artemis messaging brokers. The issue arises specifically when an application using the OpenWire protocol attempts to create a non-durable JMS topic subscription on an address that does not exist. The user must be authenticated and have the "createDurableQueue" permission but lack the "createAddress" permission, with address auto-creation disabled. Under these conditions, the system incorrectly allows creation of a temporary address, which should have been denied due to insufficient permissions. This temporary address exists only for the duration of the OpenWire connection and is removed upon connection closure. The vulnerability affects Apache Artemis versions from 2.50.0 through 2.52.0 and Apache ActiveMQ Artemis versions from 2.0.0 through 2.44.0. The root cause is improper enforcement of authorization checks during subscription creation, allowing users to bypass address creation restrictions. The vulnerability has a CVSS 4.0 base score of 2.3, indicating low severity, with network attack vector, low complexity, partial privileges required, no user interaction, and limited impact on integrity. No known exploits have been reported in the wild. The Apache Software Foundation has addressed this issue in version 2.53.0 by correcting the authorization logic to prevent temporary address creation when the user lacks the necessary permissions. This fix ensures that attempts to create non-durable subscriptions on non-existent addresses fail as intended when address auto-creation is disabled.

The impact of CVE-2026-32642 is relatively low but should not be dismissed. Unauthorized temporary address creation could lead to unexpected resource consumption on messaging brokers, potentially affecting system stability or performance under certain conditions. While the temporary nature of the address limits persistence, it could be exploited to bypass address creation restrictions, possibly enabling unauthorized message routing or subscription behaviors. This could undermine organizational policies that rely on strict address creation controls to segregate messaging domains or enforce security boundaries. However, the vulnerability does not directly expose sensitive data or allow privilege escalation beyond the existing permissions. The requirement for authenticated users with specific permissions and the absence of user interaction further limit exploitation scope. Organizations running affected versions of Apache Artemis or ActiveMQ Artemis in critical messaging infrastructures may face operational risks if this vulnerability is exploited, especially in multi-tenant or highly regulated environments where strict authorization is essential.

To mitigate CVE-2026-32642, organizations should upgrade affected Apache Artemis and Apache ActiveMQ Artemis installations to version 2.53.0 or later, where the authorization logic has been corrected. Until the upgrade can be applied, administrators should review and tighten permission assignments, ensuring that users are granted only the minimum necessary permissions, particularly avoiding unnecessary "createDurableQueue" permissions without corresponding "createAddress" rights. Disabling the OpenWire protocol if not required can reduce exposure. Monitoring broker logs for unusual address creation events or subscription attempts on non-existent addresses can help detect exploitation attempts. Implementing network segmentation and access controls to restrict broker access to trusted users and systems further reduces risk. Regularly auditing messaging infrastructure configurations and permissions will help maintain a secure posture. Finally, organizations should stay informed about updates from the Apache Software Foundation regarding any further patches or advisories related to Artemis.