CVE-2026-27446CRITICAL 9.8EPSS p94.2%

CVE-2026-27446CVE-2026-27446

apache / artemis

Description

Missing Authentication for Critical Function (CWE-306) vulnerability in Apache Artemis, Apache ActiveMQ Artemis. An unauthenticated remote attacker can use the Core protocol to force a target broker to establish an outbound Core federation connection to an attacker-controlled rogue broker. This could potentially result in message injection into any queue and/or message exfiltration from any queue via the rogue broker. This impacts environments that allow both: - incoming Core protocol connections from untrusted sources to the broker - outgoing Core protocol connections from the broker to untrusted targets This issue affects: - Apache Artemis from 2.50.0 through 2.51.0 - Apache ActiveMQ Artemis from 2.11.0 through 2.44.0. Users are recommended to upgrade to Apache Artemis version 2.52.0, which fixes the issue. The issue can be mitigated by one of the following: - Remove Core protocol support from any acceptor receiving connections from untrusted sources. Incoming Core protocol c

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS8.34% probability of exploitation · percentile 94.2% · 2026-06-18T12:00:27Z
Published2026-03-04
Last modified2026-06-15

Underlying weaknesses· 1

CWE-306

References

  1. https://lists.apache.org/thread/jwpsdc8tdxotm98od8n8n30fqlzoc8gg
  2. http://www.openwall.com/lists/oss-security/2026/03/03/4
  3. http://www.openwall.com/lists/oss-security/2026/03/04/1
  4. https://cert-portal.siemens.com/productcert/html/ssa-085541.html

1

TypeTargetConfidenceTier
WeaknessMissing Authentication for Critical Functioncwe-3060%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-46605
CVE
CVE-2026-40466
CVE
CVE-2026-49270
CVE
CVE-2025-66168
CVE
CVE-2026-45505
CVE
CVE-2026-42588
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.