CVE-2026-27446: Apache Artemis Core protocol federation can be abused for message injection and exfiltration

What happened

NVD published CVE-2026-27446, a Missing Authentication for Critical Function (CWE-306) issue in Apache Artemis / Apache ActiveMQ Artemis that allows an unauthenticated remote attacker using the Core protocol to force a broker to establish an outbound Core federation connection to an attacker-controlled broker. This can enable message injection into queues and/or message exfiltration from queues via the rogue broker.

Apache’s CNA scored the issue CVSS v4.0 9.3 (Critical), while NVD itself is still marked “Awaiting Analysis.”

Who is impacted

Affected versions listed by NVD:

• Apache Artemis: 2.50.0 through 2.51.0
• Apache ActiveMQ Artemis: 2.11.0 through 2.44.0

The disclosure notes impact specifically for environments that allow both:

• Incoming Core protocol connections from untrusted sources to the broker (Core is typically enabled on the default artemis acceptor on port 61616), and
• Outgoing Core protocol connections to untrusted targets.

What to do now

• Upgrade to Apache Artemis 2.52.0 (listed as the fixing release in the NVD record).
• If you cannot upgrade immediately, consider the mitigations described in the record:
  • Disable Core protocol on any acceptor reachable by untrusted clients (explicitly set acceptor protocols to avoid enabling everything by default).
  • Enforce two-way (mutual) TLS so every client must present a valid certificate before any protocol handshake is attempted.
• Operational checks for platform engineers:
  • Audit brokers with port 61616 exposed beyond trusted networks.
  • Review federation configurations and restrict outbound broker connections to trusted endpoints only.

Additional Information

• Weakness: CWE-306 (Missing Authentication for Critical Function).
• Primary references in the NVD record include an oss-security thread and an Apache mailing-list thread (the latter requires JavaScript to render in a browser).