Bug 2444320 (CVE-2026-27446) - CVE-2026-27446 org.apache.artemis:artemis-server: org.apache.activemq:artemis-server: Apache Artemis, Apache ActiveMQ Artemis: Message injection and exfiltration due to missing authentication
Summary: CVE-2026-27446 org.apache.artemis:artemis-server: org.apache.activemq:artemis...
Keywords:
Status: NEW
Alias: CVE-2026-27446
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-03-04 07:05 UTC by OSIDB Bzimport
Modified: 2026-03-06 06:15 UTC (History)
57 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2026:3955 0 None None None 2026-03-05 21:59:40 UTC
Red Hat Product Errata RHSA-2026:3957 0 None None None 2026-03-06 06:15:14 UTC

Description OSIDB Bzimport 2026-03-04 07:05:15 UTC 
Affected versions:

- Apache Artemis (org.apache.artemis:artemis-server) 2.50.0 through 2.51.0
- Apache ActiveMQ Artemis (org.apache.activemq:artemis-server) 2.11.0 through 2.44.0

Description:

Missing Authentication for Critical Function (CWE-306) vulnerability in Apache Artemis, Apache ActiveMQ Artemis. An unauthenticated remote attacker can use the Core protocol to force a target broker to establish an outbound Core federation connection to an attacker-controlled rogue broker. This could potentially result in message injection into any queue and/or message exfiltration from any queue via the rogue broker. This impacts environments that allow both:

- incoming Core protocol connections from untrusted sources to the broker

- outgoing Core protocol connections from the broker to untrusted targets

This issue affects:

- Apache Artemis from 2.50.0 through 2.51.0

- Apache ActiveMQ Artemis from 2.11.0 through 2.44.0.

Users are recommended to upgrade to Apache Artemis version 2.52.0, which fixes the issue.

The issue can be mitigated by either of the following:

- Remove Core protocol support from any acceptor receiving connections from untrusted sources. Incoming Core protocol connections are supported by default via the "artemis" acceptor listening on port 61616. See the "protocols" URL parameter configured for the acceptor. An acceptor URL without this parameter supports all protocols by default, including Core.

- Use two-way SSL (i.e. certificate-based authentication) in order to force every client to present the proper SSL certificate when establishing a connection before any message protocol handshake is attempted. This will prevent unauthenticated exploitation of this vulnerability.

Credit:

Hardik Mehta <me...> (finder)

References:

https://artemis.apache.org
https://www.cve.org/CVERecord?id=CVE-2026-27446
Comment 3 errata-xmlrpc 2026-03-05 21:59:36 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ Broker 7.12.6

Via RHSA-2026:3955 https://access.redhat.com/errata/RHSA-2026:3955
Comment 4 errata-xmlrpc 2026-03-06 06:15:10 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ Broker 7.13.4

Via RHSA-2026:3957 https://access.redhat.com/errata/RHSA-2026:3957
Note You need to log in before you can comment on or make changes to this bug.