External risk intelligence

Apache Artemis Core Protocol Federation Vulnerability.

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-27446

A vulnerability in Apache Artemis and Apache ActiveMQ Artemis allows an unauthenticated attacker to inject or exfiltrate messages by forcing a broker to connect to a rogue server. This can occur if the environment permits untrusted incoming or outgoing connections using the Core protocol, potentially impacting message

2Halo Surface Signal

Missing Authentication

Apache Artemis

2.11.0 to 2.44.02.50.0

External exposure likelihood

Halo Surface Signal score for CVE-2026-27446

Apache ActiveMQ Artemis is typically deployed as an internal messaging broker within an enterprise application architecture. While it uses the Core protocol on port 61616, it is not designed to be a public-facing service and is almost always restricted to internal network segments, behind firewalls, or accessible only by authorized application components.

PCI scan relevance

PCI Relevance for CVE-2026-27446

Yes

CVE-2026-27446 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows unauthenticated remote attackers to inject or exfiltrate messages, making it relevant for PCI scans due to its critical severity.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in Apache Artemis and Apache ActiveMQ Artemis could allow an unauthenticated attacker to inject or exfiltrate messages by establishing a connection to a rogue server. This risk exists if your environment allows untrusted incoming or outgoing connections using the Core protocol.

  • Unauthenticated attackers can control messages.
  • It impacts message integrity and confidentiality.
  • Confirm exposure; apply mitigations if relevant.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can leverage the Apache Artemis Core protocol to trick a broker into forming an unauthorized connection with a rogue broker they control. This allows them to potentially inject or steal messages from any queue.

  • No authentication required.
  • Force outbound connection to attacker.
  • Message injection and exfiltration.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated remote attacker to inject or exfiltrate messages from queues by forcing a broker to establish an outbound connection to a rogue broker, when the environment allows untrusted incoming and outgoing Core protocol connections.

  • Message queues could be affected.
  • Untrusted connections could enable exposure.
  • Message injection or exfiltration may occur.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Application owners and infrastructure teams are likely responsible for managing Apache Artemis/ActiveMQ Artemis, especially if the Core protocol is exposed to untrusted sources or targets. The first critical step is to identify all instances of the affected software, determine their reachability and business criticality, and then confirm the accountable owner for each. Once identified and prioritized, a remediation plan, which may involve vendor coordination or implementing mitigations, should be developed.

  • Confirm affected technology and owner.
  • Verify Core protocol exposure and reachability.
  • Plan remediation based on risk.

Frequently asked questions

What is Apache Artemis and why is it used?

Apache Artemis and ActiveMQ Artemis are open-source, high-performance messaging brokers. They function as a middleware layer in software architectures, allowing different applications to communicate reliably by sending and receiving messages through organized queues. Because they handle critical data flow between services, they are foundational components in many enterprise environments, acting as the central hub for asynchronous processing and distributed systems.

What is the vulnerability behind CVE-2026-27446?

This vulnerability is classified as Missing Authentication for Critical Function (CWE-306). In plain English, the broker fails to verify the identity of parties requesting new connections. Because of this, an unauthenticated attacker can command the broker to connect to an external, rogue broker of their choosing. This trust flaw allows the attacker to turn a legitimate messaging component into a conduit for reading or adding data to queues without needing valid credentials.

How does an attacker trigger this bug?

The attack requires the broker to allow specific network traffic patterns. It occurs when a target broker accepts untrusted incoming Core protocol connections and simultaneously permits outgoing Core connections to arbitrary, untrusted targets. If the broker is configured to block these outbound connections or requires legitimate authentication for incoming traffic, this specific attack path is effectively neutralized.

Do I need to worry if my Artemis instance is internal?

Halo Surface Signal indicates that Apache ActiveMQ Artemis is typically deployed as an internal messaging broker within enterprise architectures. While this suggests it is rarely intended to be public-facing, it does not mean it is immune to risk. You should assess whether your internal network segments allow untrusted traffic to reach the broker on the default port 61616, as an attacker with access to your internal network could still exploit this vulnerability.

What is the recommended first step for response?

Your first step is to locate all instances of Apache Artemis within your infrastructure and confirm their current version. If you are running an affected version, check your configuration to see if you are using the default 'artemis' acceptor, which enables the Core protocol by default. Prioritize patching to version 2.52.0, or implement mitigations like two-way SSL or a Core interceptor to block unauthorized federation requests if an immediate upgrade is not feasible.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified