{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24457", "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "state": "PUBLISHED", "assignerShortName": "eclipse", "dateReserved": "2026-01-23T11:07:26.456Z", "datePublished": "2026-03-05T16:27:30.984Z", "dateUpdated": "2026-03-06T16:11:32.915Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Eclipse OpenMQ", "repo": "https://github.com/eclipse-ee4j/openmq", "vendor": "Eclipse Foundation", "versions": [{"lessThanOrEqual": "6.5.1", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Camilo G. AkA Dedalo (DeepSecurity Per\u00fa)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An unsafe parsing of OpenMQ's configuration, allows a remote attacker to read arbitrary files from a MQ Broker's server. A full exploitation could read unauthorized files of the OpenMQ\u2019s host OS. In some scenarios RCE could be achieved.<br>"}], "value": "An unsafe parsing of OpenMQ's configuration, allows a remote attacker to read arbitrary files from a MQ Broker's server. A full exploitation could read unauthorized files of the OpenMQ\u2019s host OS. In some scenarios RCE could be achieved."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-27", "description": "CWE-27 Path Traversal: 'dir/../../filename'", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse", "dateUpdated": "2026-03-05T16:27:30.984Z"}, "references": [{"url": "https://gitlab.eclipse.org/security/cve-assignment/-/issues/84"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-06T16:00:31.715526Z", "id": "CVE-2026-24457", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T16:11:32.915Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24457", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-06T16:00:31.715526Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T16:00:32.917Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Camilo G. AkA Dedalo (DeepSecurity Per\u00fa)"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/eclipse-ee4j/openmq", "vendor": "Eclipse Foundation", "product": "Eclipse OpenMQ", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "6.5.1"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://gitlab.eclipse.org/security/cve-assignment/-/issues/84"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "An unsafe parsing of OpenMQ's configuration, allows a remote attacker to read arbitrary files from a MQ Broker's server. A full exploitation could read unauthorized files of the OpenMQ\u2019s host OS. In some scenarios RCE could be achieved.", "supportingMedia": [{"type": "text/html", "value": "An unsafe parsing of OpenMQ's configuration, allows a remote attacker to read arbitrary files from a MQ Broker's server. A full exploitation could read unauthorized files of the OpenMQ\u2019s host OS. In some scenarios RCE could be achieved.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-27", "description": "CWE-27 Path Traversal: 'dir/../../filename'"}]}], "providerMetadata": {"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse", "dateUpdated": "2026-03-05T16:27:30.984Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24457", "state": "PUBLISHED", "dateUpdated": "2026-03-06T16:11:32.915Z", "dateReserved": "2026-01-23T11:07:26.456Z", "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "datePublished": "2026-03-05T16:27:30.984Z", "assignerShortName": "eclipse"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:eclipse:openmq:*:*:*:*:*:*:*:*", "matchCriteriaId": "D0C54C08-8788-4481-97CC-EAFFC7702412", "versionEndIncluding": "6.5.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An unsafe parsing of OpenMQ's configuration, allows a remote attacker to read arbitrary files from a MQ Broker's server. A full exploitation could read unauthorized files of the OpenMQ\u2019s host OS. In some scenarios RCE could be achieved."}, {"lang": "es", "value": "Un an\u00e1lisis inseguro de la configuraci\u00f3n de OpenMQ permite a un atacante remoto leer archivos arbitrarios de un servidor de MQ Broker. Una explotaci\u00f3n completa podr\u00eda leer archivos no autorizados del sistema operativo anfitri\u00f3n de OpenMQ. En algunos escenarios se podr\u00eda lograr RCE."}], "id": "CVE-2026-24457", "lastModified": "2026-04-15T13:30:43.413", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "emo@eclipse.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-05T19:16:02.780", "references": [{"source": "emo@eclipse.org", "tags": ["Vendor Advisory"], "url": "https://gitlab.eclipse.org/security/cve-assignment/-/issues/84"}], "sourceIdentifier": "emo@eclipse.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-27"}], "source": "emo@eclipse.org", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.5.1]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Eclipse OpenMQ", "source": "cna", "vendor": "Eclipse Foundation"}, "product": "openmq", "vendor": "eclipse"}], "analysis": {"en": {"generated_at": "2026-04-16T12:18:10.109758+00:00", "value": {"mitigation_remediation": ["Apply the latest official OpenMQ patch or upgrade to a supported version that addresses the unsafe configuration parsing flaw.", "Restrict network access to the OpenMQ management endpoint using firewall rules or VPNs so that only trusted hosts can modify configuration.", "Enforce strict validation on the configuration parser to prevent path traversal and reject any request that attempts to access files outside the allowed directory structure."], "summary": {"action": "Patch Now", "impact": "Remote File Read with potential Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is Eclipse OpenMQ from Eclipse Foundation. Specific version information is not provided in the CVE data, so any deployment using OpenMQ should review its current version against the vendor\u2019s advisories.", "description_and_impact": "This vulnerability arises from unsafe parsing of OpenMQ\u2019s configuration, permitting an attacker to read arbitrary files on the broker\u2019s host operating system. The flaw enables path traversal, allowing access to files outside the intended configuration directory. A full exploitation could leak sensitive data, and in certain scenarios remote code execution may be achieved.", "risk_and_exploitability": "With a CVSS score of 9.1, the vulnerability is considered severe. The EPSS score of less than 1% indicates a low estimated probability of exploitation at this time, and it is not listed in the CISA KEV catalog. The likely attack vector is remote, via the OpenMQ configuration interface, and any attacker who can send crafted configuration data can read arbitrary files or potentially execute code depending on the environment."}}}}, "created": "2026-03-06T15:01:35.395325+00:00", "title": "OpenMQ Unsafe Configuration Parsing Enables Remote File Read and Potential RCE", "updated": "2026-04-16T12:30:06.110017+00:00", "vendors": ["eclipse", "eclipse$PRODUCT$openmq"]}