CVE-2026-27446 — Missing Authentication for Critical Function in Software Foundation Apache Activemq Artemis
Severity
9.3CRITICALNVD
EPSS
0.1%
top 66.46%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMar 4
Latest updateMar 24
Description
Missing Authentication for Critical Function (CWE-306) vulnerability in Apache Artemis, Apache ActiveMQ Artemis. An unauthenticated remote attacker can use the Core protocol to force a target broker to establish an outbound Core federation connection to an attacker-controlled rogue broker. This could potentially result in message injection into any queue and/or message exfiltration from any queue via the rogue broker. This impacts environments that allow both:
- incoming Core protocol connectio…
CVSS vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L
Affected Packages5 packages
🔴Vulnerability Details
4OSV▶
Apache Artemis and Apache ActiveMQ Artemis are Missing Authentication for Critical Functions↗2026-03-04
GHSA▶
Apache Artemis and Apache ActiveMQ Artemis are Missing Authentication for Critical Functions↗2026-03-04
OSV▶
CVE-2026-27446: Missing Authentication for Critical Function (CWE-306) vulnerability in Apache Artemis, Apache ActiveMQ Artemis↗2026-03-04
CVEList
▶
📋Vendor Advisories
2Red Hat▶
Apache Artemis: KNIME Business Hub: Apache Artemis and KNIME Business Hub: Authentication bypass allows information disclosure and message injection.↗2026-03-24
Red Hat▶
org.apache.artemis:artemis-server: org.apache.activemq:artemis-server: Apache Artemis, Apache ActiveMQ Artemis: Message injection and exfiltration due to missing authentication↗2026-03-04
🕵️Threat Intelligence
1💬Community
1Bugzilla▶
CVE-2026-27446 org.apache.artemis:artemis-server: org.apache.activemq:artemis-server: Apache Artemis, Apache ActiveMQ Artemis: Message injection and exfiltration due to missing authentication↗2026-03-04