CVE-2026-32642 in Artemis
Summary
by MITRE • 03/24/2026
Incorrect Authorization (CWE-863) vulnerability in Apache Artemis, Apache ActiveMQ Artemis exists when an application using the OpenWire protocol attempts to create a non-durable JMS topic subscription on an address that doesn't exist with an authenticated user which has the "createDurableQueue" permission but does not have the "createAddress" permission and address auto-creation is disabled. In this circumstance, a temporary address will be created whereas the attempt to create the non-durable subscription should instead fail since the user is not authorized to create the corresponding address. When the OpenWire connection is closed the address is removed.
This issue affects Apache Artemis: from 2.50.0 through 2.52.0; Apache ActiveMQ Artemis: from 2.0.0 through 2.44.0.
Users are recommended to upgrade to version 2.53.0, which fixes the issue.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/30/2026
The vulnerability described in CVE-2026-32642 represents a critical authorization flaw classified as CWE-863 within Apache Artemis and Apache ActiveMQ Artemis messaging systems. This issue manifests when applications utilizing the OpenWire protocol attempt to establish non-durable JMS topic subscriptions on addresses that do not currently exist. The flaw specifically occurs under conditions where authenticated users possess the "createDurableQueue" permission but lack the "createAddress" permission, with address auto-creation disabled within the system configuration. This authorization bypass allows unauthorized address creation through seemingly legitimate subscription operations, fundamentally undermining the security model of the messaging infrastructure.
The technical execution of this vulnerability exploits the protocol's handling of address creation during subscription processes. When a user with limited permissions attempts to create a non-durable subscription on a non-existent address, the system incorrectly creates a temporary address to facilitate the operation rather than properly rejecting the request due to insufficient authorization. This behavior violates the principle of least privilege and demonstrates a failure in access control validation. The temporary address creation occurs dynamically during the subscription process, and the address is only removed upon closure of the OpenWire connection, leaving a potential security artifact in the system. This mechanism essentially allows unauthorized users to create messaging addresses without proper authorization, potentially enabling information disclosure or denial of service attacks.
The operational impact of this vulnerability extends beyond simple unauthorized address creation, as it creates a persistent security risk within messaging environments where strict access controls are required. Attackers could potentially exploit this flaw to establish unauthorized communication channels, bypass access restrictions, or create persistent backdoors through address creation. The vulnerability is particularly concerning in enterprise environments where messaging systems handle sensitive data and where proper authorization controls are essential for maintaining data integrity and confidentiality. The issue affects a substantial range of versions including Apache Artemis 2.50.0 through 2.52.0 and Apache ActiveMQ Artemis 2.0.0 through 2.44.0, indicating a widespread exposure across multiple release lines. The flaw's behavior aligns with ATT&CK technique T1078.004, which involves valid accounts used for persistence and privilege escalation, as unauthorized address creation can serve as a foothold for further exploitation. Organizations using affected versions face significant risk of unauthorized system access and potential data breaches.
Organizations should immediately implement the recommended mitigation by upgrading to version 2.53.0, which contains the necessary fixes for this authorization flaw. In addition to the mandatory upgrade, system administrators should review and audit existing access control policies to ensure that users possess only the minimum required permissions for their operational functions. Security teams should monitor messaging system logs for any suspicious address creation patterns that might indicate exploitation attempts. The vulnerability's resolution addresses the core authorization validation issue by ensuring that subscription attempts properly validate address creation permissions before allowing any temporary address creation. This fix aligns with security best practices outlined in NIST SP 800-53 and ISO/IEC 27001 frameworks, particularly regarding access control and privilege management. Organizations should also consider implementing network segmentation and monitoring controls around their messaging infrastructure to detect and prevent unauthorized access attempts, as the vulnerability could potentially be leveraged as part of broader attack campaigns targeting enterprise messaging systems.