CVE-2026-49270
MEDIUMDescription
Exposure of Sensitive Information Through Metadata vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All. Brokers that are configured with a network connector with syncDurableSubs set to true, are vulnerable to an unauthenticated attacker who can receive a list of all durable topic subscriptions in the broker, including client identifiers, subscription names, topic destinations, and JMS selector expressions, by sending a BrokerInfo command. The broker incorrectly responds without first ensuring the connection is authenticated. This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6. Users are recommended to upgrade to version 6.2.6 or 5.19.7, which fixes the issue.
Is your site exposed to CVE-2026-49270?
Run a free security scan — no signup, results in seconds.
CVSS v3.1 Score
EPSS — Exploit Prediction
EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| apache | activemq |
| apache | activemq |
| apache | activemq_broker |
| apache | activemq_broker |
References
Advisories & Patches
Other References
Frequently Asked Questions
What is CVE-2026-49270? +
How severe is CVE-2026-49270? +
What products are affected by CVE-2026-49270? +
How do I check if I'm vulnerable to CVE-2026-49270? +
Related Vulnerabilities
The vulnerability consists of a session ID leak when saving a file downloaded from CGM CLININET. The identifier is exposed …
In lunary-ai/lunary version v1.4.29, the GET /projects API endpoint exposes both public and private API keys for all projects to …
The users endpoint in the groov View API returns a list of all users and associated metadata including their API …
In berriai/litellm version v1.52.1, an issue in proxy_server.py causes the leakage of Langfuse API keys when an error occurs while …
Information disclosure while accessing and modifying the PIB file of a remote device via powerline.
Dell NativeEdge, version(s) 2.1.0.0, contain(s) an Exposure of Sensitive Information Through Metadata vulnerability. An unauthenticated attacker with remote access could …