critical advisory March 5, 2026

Apache Artemis and ActiveMQ Artemis Authentication Bypass Vulnerability

CVE-2026-27446 allows an unauthenticated remote attacker to inject malicious messages or exfiltrate data from Apache Artemis and ActiveMQ Artemis brokers due to a missing authentication check in the Core protocol.

On March 5, 2026, the Centre for Cybersecurity Belgium (CCB) issued a warning regarding CVE-2026-27446, a critical authentication bypass vulnerability affecting Apache Artemis and Apache ActiveMQ Artemis. This vulnerability stems from a lack of proper authentication controls within the Core protocol used for communication between brokers. Successful exploitation allows unauthenticated remote attackers to force a target broker to establish an outbound Core federation connection to a rogue broker…

Detection coverage 2

Detect Outbound Core Protocol Connection to Suspicious IP

high

Detects outbound connections using the Core protocol to IP addresses not in the known good list.

sigma tactics: command_and_control techniques: T1071.001 sources: network_connection, linux

Detect Artemis Message Injection via Core Protocol

high

Detects message injection attempts by monitoring for specific patterns or keywords within Core protocol messages.

sigma tactics: command_and_control techniques: T1071.001 sources: network_connection, linux

Detection queries are kept inside the platform. Get full rules →