Apache Artemis auth bypass enables message injection via rogue federation

TL;DR — An authentication bypass in Apache Artemis lets unauthenticated attackers force outbound federation connections, enabling message injection or exfiltration across brokers.

What happened

Apache ActiveMQ Artemis is a high-performance, open-source message broker used for asynchronous messaging between distributed services. CVE-2026-27446 describes a Missing Authentication for Critical Function in Apache Artemis / ActiveMQ Artemis. An unauthenticated remote attacker using the Core protocol can force a broker to establish an outbound federation connection to an attacker-controlled broker, enabling message injection into queues and/or message exfiltration.

Apache's CNA scored this CVSS v4.0 9.3 (Critical). The attack is notable because it turns an inbound connection into server-side outbound requests — a pattern reminiscent of SSRF exploitation but at the message broker level.

Who is impacted

• Apache Artemis 2.50.0 through 2.51.0 and ActiveMQ Artemis 2.11.0 through 2.44.0.
• Environments allowing both incoming Core protocol connections from untrusted sources and outgoing connections to untrusted targets.
• Core protocol is typically enabled on the default artemis acceptor on port 61616.

What to do now

• Follow vendor remediation guidance and apply the latest patched release available at the time of writing.
• If you cannot patch:
  • Disable Core protocol on acceptors reachable by untrusted clients.
  • Enforce mutual TLS so every client presents a valid certificate before protocol handshake.
• Audit brokers with port 61616 exposed beyond trusted networks.
• Restrict outbound broker connections to trusted endpoints only.