CVE-2026-49270

Name of the Vulnerable Software and Affected Versions Apache ActiveMQ Broker versions prior to 5.19.7 Apache ActiveMQ Broker versions 6.0.0 through 6.2.5 Apache ActiveMQ versions prior to 5.19.7 Apache ActiveMQ versions 6.0.0 through 6.2.5 Apache ActiveMQ All versions prior to 5.19.7 Apache ActiveMQ All versions 6.0.0 through 6.2.5

Description An exposure of sensitive information through metadata occurs when brokers are configured with a network connector where syncDurableSubs is set to true. An unauthenticated attacker can retrieve a list of all durable topic subscriptions in the broker by sending a BrokerInfo command. The broker fails to ensure the connection is authenticated before responding, potentially leaking client identifiers, subscription names, topic destinations, and JMS selector expressions.

Recommendations Upgrade to version 5.19.7 Upgrade to version 6.2.6