CVE-2026-32642

CWE-863Incorrect Authorization7 documents6 sources
Severity
2.3LOW
EPSS
0.1%
top 72.06%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Apache ArtemisApache Software Foundation Apache Activemq ArtemisApache Software Foundation Apache Artemis+1 more
Timeline
PublishedMar 24

Description

Incorrect Authorization (CWE-863) vulnerability in Apache Artemis, Apache ActiveMQ Artemis exists when an application using the OpenWire protocol attempts to create a non-durable JMS topic subscription on an address that doesn't exist with an authenticated user which has the "createDurableQueue" permission but does not have the "createAddress" permission and address auto-creation is disabled. In this circumstance, a temporary address will be created whereas the attempt to create the non-durable

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages6 packages

NVDapache/activemq_artemis2.0.02.44.0
NVDapache/artemis2.50.02.53.0

🔴Vulnerability Details

4
CVEList
Apache Artemis, Apache ActiveMQ Artemis: Temporary address auto-created for OpenWire consumer without createAddress permission2026-03-24
OSV
Apache Artemis: Unauthorized Temporary Address Creation via OpenWire Protocol2026-03-24
OSV
CVE-2026-32642: Incorrect Authorization (CWE-863) vulnerability in Apache Artemis, Apache ActiveMQ Artemis exists when an application using the OpenWire protocol atte2026-03-24
GHSA
Apache Artemis: Unauthorized Temporary Address Creation via OpenWire Protocol2026-03-24

📋Vendor Advisories

1
Red Hat
Apache Artemis: Apache ActiveMQ Artemis: Apache Artemis and Apache ActiveMQ Artemis: Unauthorized address creation due to incorrect authorization during JMS topic subscription.2026-03-24

🕵️Threat Intelligence

1
Wiz
CVE-2026-32642 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-32642 (LOW CVSS 2.3) | Incorrect Authorization (CWE-863) v | cvebase.io