Apache ActiveMQ 6.x < 6.1.2 - Broken Access Control
CVE-2024-32114
Verified
Description
Apache ActiveMQ 6.x contains an unauthenticated API web context caused by default configuration lacking security measures in the Jetty server, letting anyone interact with broker APIs and messaging layers, exploit requires no authentication.
Severity
High
CVSS Score
8.8
Exploit Probability
7%
Affected Product
activemq
Published Date
May 2, 2026
Template Author
chrisjr404
CVE-2024-32114.yaml
id: CVE-2024-32114
info:
name: Apache ActiveMQ 6.x < 6.1.2 - Broken Access Control
author: ChrisJr404
severity: high
description: |
Apache ActiveMQ 6.x contains an unauthenticated API web context caused by default configuration lacking security measures in the Jetty server, letting anyone interact with broker APIs and messaging layers, exploit requires no authentication.
impact: |
Unauthenticated users can interact with the broker, potentially producing, consuming, or deleting messages and accessing sensitive management APIs.
remediation: |
Upgrade to Apache ActiveMQ 6.1.2 or later, or update `conf/jetty.xml` to require authentication on the `/api/` web context.
reference:
- https://activemq.apache.org/security-advisories.data/CVE-2024-32114-announcement.txt
- https://github.com/vulhub/vulhub/tree/master/activemq/CVE-2024-32114
- https://github.com/advisories/GHSA-gj5m-m88j-v7c3
- https://nvd.nist.gov/vuln/detail/CVE-2024-32114
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2024-32114
cwe-id: CWE-1188
epss-score: 0.0692
epss-percentile: 0.93331
metadata:
verified: true
max-request: 2
vendor: apache
product: activemq
shodan-query: http.title:"ActiveMQ"
fofa-query: title="ActiveMQ"
tags: cve,cve2024,activemq,apache,jolokia,vkev
http:
- method: GET
path:
- "{{BaseURL}}/api/jolokia/search/org.apache.activemq:type=Broker,*"
matchers:
- type: dsl
dsl:
- 'contains_all(body, "request\":{", "type=Broker", "mbean\":", "org.apache.activemq")'
- 'contains(content_type, "text/plain")'
- 'status_code == 200'
condition: and
# digest: 490a00463044022079e42479496bff0912fb279c900df58cfbee7462dc7010da950fab54ae48202402202494676c082d05949f3ff311f2cf9431a346a4945af2bdfa2dcf249bbe0f711f:922c64590222798bb761d5b6d8e729508.8Score
CVSS Metrics
CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE ID:
cve-2024-32114
CWE ID:
cwe-1188
Remediation Steps
Upgrade to Apache ActiveMQ 6.1.2 or later, or update `conf/jetty.xml` to require authentication on the `/api/` web context.