CVE-2026-27446

CVE-2026-27446 is a Missing Authentication for Critical Function (CWE-306) vulnerability affecting Apache Artemis versions 2.50.0 through 2.51.0 and Apache ActiveMQ Artemis versions 2.11.0 through 2.44.0. The flaw allows an unauthenticated remote attacker to exploit the Core protocol, forcing a target broker to establish an outbound Core federation connection to an attacker-controlled rogue broker. This issue impacts environments that permit both incoming Core protocol connections from untrusted sources to the broker and outgoing Core protocol connections from the broker to untrusted targets.

An unauthenticated remote attacker can exploit this vulnerability by initiating a Core protocol connection from an untrusted source. Upon success, the attacker tricks the broker into federating with the rogue broker, enabling message injection into any queue or message exfiltration from any queue via the attacker-controlled broker. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with high confidentiality, integrity, and availability impacts.

Apache advisories recommend upgrading to Apache Artemis version 2.52.0, which resolves the issue. Additional mitigations include removing Core protocol support from acceptors receiving connections from untrusted sources, such as the default "artemis" acceptor on port 61616; enabling two-way SSL for certificate-based authentication prior to protocol handshakes; or deploying a Core interceptor to deny downstream federation connect packets (type (int) -16 or (byte) 0xfffffff0), with documentation available at https://artemis.apache.org/components/artemis/documentation/latest/intercepting-operations.html. Relevant advisories are posted at https://lists.apache.org/thread/jwpsdc8tdxotm98od8n8n30fqlzoc8gg, http://www.openwall.com/lists/oss-security/2026/03/03/4, and http://www.openwall.com/lists/oss-security/2026/03/04/1.