Platform
java
Component
openmq
Fixed in
6.5.2
CVE-2026-24457 describes an Arbitrary File Access vulnerability within Eclipse OpenMQ. This flaw allows a remote attacker to read arbitrary files from the MQ Broker's server, potentially exposing sensitive data and enabling further malicious actions. The vulnerability affects versions 0 through 6.5.1 of Eclipse OpenMQ. A fix is available; upgrading is the recommended remediation.
The impact of CVE-2026-24457 is significant due to the potential for unauthorized data access and potential Remote Code Execution (RCE). An attacker exploiting this vulnerability can read any file accessible to the OpenMQ process on the server. This could include configuration files, sensitive data, or even system files. The ability to read system files opens the door to further exploitation, potentially allowing an attacker to execute arbitrary code on the server, leading to complete system compromise. The description explicitly mentions the possibility of RCE, making this a high-priority vulnerability to address.
CVE-2026-24457 was publicly disclosed on 2026-03-05. Currently, there are no publicly available Proof-of-Concept (PoC) exploits. The vulnerability's CVSS score of 9.1 (CRITICAL) indicates a high probability of exploitation if a PoC is released. It is not currently listed on the CISA KEV catalog. Given the potential for RCE, organizations should prioritize patching or implementing mitigating controls.
Exploit Status
EPSS
0.26% (49% percentile)
CISA SSVC
The primary mitigation for CVE-2026-24457 is to upgrade to a patched version of Eclipse OpenMQ. Consult the Eclipse OpenMQ website for the latest available version. If upgrading immediately is not feasible, consider implementing temporary workarounds. Restrict network access to the OpenMQ broker to only authorized clients. Implement strict file permissions on the server to limit the files accessible to the OpenMQ process. Monitor OpenMQ logs for suspicious activity, particularly attempts to access unusual files. While a WAF or proxy cannot directly prevent this file access vulnerability, they can be configured to detect and block suspicious requests targeting the OpenMQ broker.
Update Eclipse OpenMQ to a version later than 6.5.1. This will fix the unsafe configuration parsing vulnerability that allows arbitrary file reading.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-24457 is a CRITICAL vulnerability in Eclipse OpenMQ versions 0–6.5.1 that allows a remote attacker to read arbitrary files from the MQ Broker's server, potentially leading to data exposure and RCE.
If you are using Eclipse OpenMQ versions 0 through 6.5.1, you are potentially affected by this vulnerability. Check your version and upgrade immediately if vulnerable.
The recommended fix is to upgrade to a patched version of Eclipse OpenMQ. Consult the Eclipse OpenMQ website for the latest version and upgrade instructions.
As of now, there are no confirmed reports of active exploitation, but the CRITICAL severity and potential for RCE warrant immediate attention and mitigation.
Refer to the Eclipse OpenMQ website and security advisories for the latest information and official guidance regarding CVE-2026-24457.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.