CVE-2026-4649Missing Authentication for Critical Function in Business HUB

CWE-306Missing Authentication for Critical Function6 documents6 sources
Severity
5.3MEDIUMNVD
CNA9.3OSV9.3
EPSS
0.0%
top 85.77%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Knime Business HUB
Timeline
PublishedMar 24

Description

Apache Artemis before version 2.52.0 is affected by an authentication bypass flaw which allows reading all messages exchanged via the broker and injection of new message ( CVE-2026-27446 https://www.cve.org/CVERecord ). Since KNIME Business Hub uses Apache Artemis it is also affected by the issue. However, since Apache Artemis is not exposed to the outside it requires at least normal user privileges and the ability to execute workflows in an executor. Such a user can install and register a feder

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Affected Packages1 packages

CVEListV5knime/knime_business_hub1.17.01.17.4+2

🔴Vulnerability Details

3
CVEList
Auth bypass in Apache Artemis allows reading all internal messages2026-03-24
OSV
CVE-2026-4649: Apache Artemis before version 22026-03-24
GHSA
GHSA-c27m-9j97-3ghp: Apache Artemis before version 22026-03-24

📋Vendor Advisories

1
Red Hat
Apache Artemis: KNIME Business Hub: Apache Artemis and KNIME Business Hub: Authentication bypass allows information disclosure and message injection.2026-03-24

💬Community

1
Bugzilla
CVE-2025-61662 grub2: Missing unregister call for gettext command may lead to use-after-free2025-11-12
CVE-2026-4649 — Knime Business HUB vulnerability | cvebase