Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
Warning: Authentication bypass vulnerability affecting Apache Artemis and Apache Active MQ Artemis can lead to message injection and exfiltration, Patch Immediately!
Image
Published : 05/03/2026
- Last update: 05/03/2026
- Affected software:
→ Apache Artemis, Apache ActiveMQ Artemis- Type: Authentication bypass
- CVE/CVSS
→ CVE-2026-24776: CVSS 9.3 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L)
Sources
https://lists.apache.org/thread/jwpsdc8tdxotm98od8n8n30fqlzoc8gg
Risks
The Apache Foundation released an advisory for CVE-2026-27446, a critical vulnerability affecting Apache Artemis and Apache ActiveMQ Artemis. The flaw is an authentication bypass for Core downstream federation that can be exploited to inject malicious messages or exfiltrate data.
The Apache Foundation did not warn of active exploitation (cut-off date: 04 March 2026). However, threat actors have been repeatedly targeting Apache ActiveMQ products in the past, notably to deploy ransomware.
In this particular case, exploitation of CVE-2026-27446 does not require authentication nor user interaction, making this a low complexity attack.
Description
CVE-2026-27446 is a missing authentication for critical function (CWE-306) vulnerability affecting Apache Artemis and Apache ActiveMQ Artemis.
The flaw arises because the Core protocol, used for communication between brokers, lacks proper authentication controls on critical functions. As a consequence, an unauthenticated remote attacker could exploit it to use the Core protocol in order to force a target broker to establish an outbound Core federation connection to an attacker-controlled rogue broker. The attacker could then use this connection to inject arbitrary messages into any queue or exfiltrate messages from any queue on the target broker.
This vulnerability impacts environments that permit both incoming Core protocol connections from untrusted sources and outgoing Core protocol connections to untrusted destinations.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
Mitigation
The Apache Foundation indicates mitigations exist, namely:
- Removing Core protocol support from any acceptor receiving connections from untrusted sources. Incoming Core protocol connections are supported by default via the "artemis" acceptor listening on port 61616. See the "protocols" URL parameter configured for the acceptor. An acceptor URL without this parameter supports all protocols by default, including Core.
- Using two-way SSL (i.e. certificate-based authentication) in order to force every client to present the proper SSL certificate when establishing a connection before any message protocol handshake is attempted. This will prevent unauthenticated exploitation of this vulnerability.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion. Consider monitoring your broker logs for unusual federation connection attempts or unexpected message injection patterns.
In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.
While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.
References
https://thedfirreport.com/2026/02/23/apache-activemq-exploit-leads-to-lockbit-ransomware/
https://radar.offseq.com/threat/cve-2026-27446-cwe-306-missing-authentication-for--ed42be89