Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN250
_____________________________________________________________________

DATE                : 04/03/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Artemis versions prior
                                   to 2.52.0,
                       Apache ActiveMQ Artemis.

=====================================================================
https://lists.apache.org/thread/zcphb2wtp8kr8sldsb3vlmos8rm8bczd
_____________________________________________________________________

CVE-2026-27446: Apache Artemis, Apache ActiveMQ Artemis: Auth bypass
for Core downstream federation

Severity: critical 

Affected versions:

- Apache Artemis (org.apache.artemis:artemis-server) 2.50.0 through
2.51.0
- Apache ActiveMQ Artemis (org.apache.activemq:artemis-server) 2.11.0
through 2.44.0

Description:

Missing Authentication for Critical Function (CWE-306) vulnerability in
Apache Artemis, Apache ActiveMQ Artemis. An unauthenticated remote
attacker can use the Core protocol to force a target broker to
establish an outbound Core federation connection to an
attacker-controlled rogue broker. This could potentially result in
message injection into any queue and/or message exfiltration from any
queue via the rogue broker. This impacts environments that allow both:

- incoming Core protocol connections from untrusted sources to the
broker

- outgoing Core protocol connections from the broker to untrusted
targets

This issue affects:

- Apache Artemis from 2.50.0 through 2.51.0

- Apache ActiveMQ Artemis from 2.11.0 through 2.44.0.

Users are recommended to upgrade to Apache Artemis version 2.52.0,
which fixes the issue.

The issue can be mitigated by either of the following:

- Remove Core protocol support from any acceptor receiving connections
from untrusted sources. Incoming Core protocol connections are
supported by default via the "artemis" acceptor listening on port
61616. See the "protocols" URL parameter configured for the acceptor.
An acceptor URL without this parameter supports all protocols by
default, including Core.

- Use two-way SSL (i.e. certificate-based authentication) in order
to force every client to present the proper SSL certificate when
establishing a connection before any message protocol handshake is
attempted. This will prevent unauthenticated exploitation of this
vulnerability.

Credit:

Hardik Mehta <me...@proton.me> (finder)

References:

https://artemis.apache.org
https://www.cve.org/CVERecord?id=CVE-2026-27446



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================