GHSA-hf52-78x8-6w3w · Severity: medium — Exposure of Sensitive Information Through Metadata vulnerability in Apache ActiveMQ Broker,...
Exposure of Sensitive Information Through Metadata vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All. Brokers that are configured with a network connector with syncDurableSubs set to true, are vulnerable to an unauthenticated attacker who can receive a list of all durable topic subscriptions in the broker, including client identifiers, subscription names, topic destinations, and JMS selector expressions, by sending a BrokerInfo command. The broker incorrectly responds without first ensuring the connection is authenticated. This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6. Users are recommended to upgrade to version 6.2.6 or 5.19.7, which fixes the issue.
Conclusion & alert: CVE-2026-49270 is rated Low Risk (32.8/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.34%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.15% | 0.34% | +0.19% |
| 2 | 2026-06-07 | 0.09% | 0.15% | +0.06% |
| 3 | 2026-06-02 | — | 0.09% | — |
Full EPSS history (4 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 5.9 | 3.1 | MEDIUM |
|
2.2 | 3.6 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 |
GHSA-hf52-78x8-6w3w · Severity: medium — Exposure of Sensitive Information Through Metadata vulnerability in Apache ActiveMQ Broker,...
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2026-49270 not yet assigned priority: Debian including 1 source packages (activemq), 4 status rows across 4 suites (bookworm, bullseye, sid, trixie): open 4. | https://security-tracker.debian.org/tracker/CVE-2026-49270 |
ubuntu
|
medium | CVE-2026-49270 medium priority: Ubuntu including 1 source packages (activemq), 7 status rows across 7 suites (bionic, focal, jammy, noble, questing, resolute, upstream): needs-triage 7. | https://ubuntu.com/security/CVE-2026-49270 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| apache | activemq | < 5.19.7 | cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:* |
| apache | activemq | >= 6.0.0, < 6.2.6 | cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:* |
| apache | activemq_broker | < 5.19.7 | cpe:2.3:a:apache:activemq_broker:*:*:*:*:*:*:*:* |
| apache | activemq_broker | >= 6.0.0, < 6.2.6 | cpe:2.3:a:apache:activemq_broker:*:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://lists.apache.org/thread/k3233c1x506z3w7x4z0dqvd86d4v2fr2 | Mailing List Vendor Advisory |
| http://www.openwall.com/lists/oss-security/2026/05/31/22 | Mailing List Third Party Advisory |