CVE-2026-32642

Name of the Vulnerable Software and Affected Versions Apache Artemis versions 2.50.0 through 2.52.0 Apache ActiveMQ Artemis versions 2.0.0 through 2.44.0

Description An authorization issue exists in Apache Artemis and Apache ActiveMQ Artemis. Specifically, when an application utilizing the OpenWire protocol attempts to establish a non-durable JMS topic subscription on a non-existent address, and the authenticated user possesses the "createDurableQueue" permission but lacks the "createAddress" permission, and address auto-creation is disabled, a temporary address is created. This occurs despite the subscription creation attempt should fail due to insufficient authorization to create the address. The temporary address is removed when the OpenWire connection is terminated.

Recommendations Upgrade to version 2.53.0 to resolve the issue.