Detections
Analytics

Apache Artemis 2.0.0 < 2.54.0 Incorrect Authorization (CVE-2026-40914)

medium Nessus Plugin ID 317711

Language:

Synopsis

The remote host is affected by an incorrect authorization vulnerability.

Description

The version of Apache Artemis (formerly Apache ActiveMQ Artemis) installed on the remote host is affected by a vulnerability:

 - A vulnerability exists in Apache Artemis whereby an application using the STOMP protocol with security credentials that grant either the consume or send permission on an address can augment the routing-type supported by that address even if said user doesn't have the createAddress permission for that particular address. A user could successfully send a message to an address or consume a message from a queue with a routing-type not supported by the corresponding address when that operation should actually be rejected on the basis that the user doesn't have permission to change the routing-type of the address. Even though the user was already granted permission to send and/or consume messages, they should not be able to augment the routing-type of the address without the createAddress permission. (CVE-2026-40914)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Apache Artemis version 2.54.0 or later.

See Also

https://lists.apache.org/thread/sk5s6m37txbljgdcnhgqo5d4bfp2c1xd

Plugin Details

Severity: Medium

ID: 317711

File Name: apache_artemis_CVE-2026-40914.nasl

Version: 1.2

Type: Local

Agent: unix

Family: Misc.

Published: 5/29/2026

Updated: 6/1/2026

Configuration: Enable thorough checks (optional)

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 2.9

CVSS v2

Risk Factor: Medium

Base Score: 4

Temporal Score: 3

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N

CVSS Score Source: CVE-2026-40914

CVSS v3

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.8

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:apache:activemq_artemis

Required KB Items: installed_sw/Apache Artemis

Exploit Ease: No known exploits are available

Patch Publication Date: 5/27/2026

Vulnerability Publication Date: 5/27/2026

Reference Information

CVE: CVE-2026-40914

IAVA: 2026-A-0519