Cyber Posture

CVE-2026-24457

Critical

Published: 05 March 2026

Published
05 March 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
EPSS Score 0.0029 52.6th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24457 is a critical-severity Path Traversal (CWE-22) vulnerability in Eclipse Openmq. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 47.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly addresses unsafe configuration parsing vulnerable to path traversal by requiring input validation at entry points to block arbitrary file read attempts.

SI-2 Flaw Remediation good match
prevent

Ensures timely identification, reporting, and correction of the specific flaw in OpenMQ's configuration parsing that enables remote arbitrary file reads.

AC-6 Least Privilege good match
prevent

Limits the MQ Broker process to least privilege file access, preventing reads of unauthorized host OS files even if path traversal succeeds.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
Why these techniques?

Vulnerability enables remote exploitation of public-facing MQ broker (T1190) for arbitrary file reads from local system and host OS (T1005), compromising sensitive data, with potential RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

An unsafe parsing of OpenMQ's configuration, allows a remote attacker to read arbitrary files from a MQ Broker's server. A full exploitation could read unauthorized files of the OpenMQ’s host OS. In some scenarios RCE could be achieved.

Deeper analysisAI

CVE-2026-24457 involves unsafe parsing of OpenMQ's configuration in the OpenMQ MQ Broker server. This vulnerability, published on 2026-03-05, enables a remote attacker to read arbitrary files from the broker server, potentially including unauthorized files from the host operating system. It is rated with a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H) and is associated with CWE-22 (Path Traversal) and CWE-27 (Directory Traversal).

A remote attacker can exploit this vulnerability over the network with low complexity, no privileges, and no user interaction required. Successful exploitation allows reading sensitive files from the MQ Broker server and host OS. In some scenarios, full exploitation could lead to remote code execution (RCE).

Mitigation details are available in the referenced advisory at https://gitlab.eclipse.org/security/cve-assignment/-/issues/84.

Details

CWE(s)
CWE-22CWE-27

Affected Products

eclipse
openmq
≤ 6.5.1

CVEs Like This One

CVE-2026-22886Same product: Eclipse Openmq
CVE-2026-2332Same vendor: Eclipse
CVE-2026-1188Same vendor: Eclipse
CVE-2025-67109Same vendor: Eclipse
CVE-2025-66518Shared CWE-22, CWE-27
CVE-2025-55100Same vendor: Eclipse
CVE-2026-1605Same vendor: Eclipse
CVE-2026-5795Same vendor: Eclipse
CVE-2025-0728Same vendor: Eclipse
CVE-2024-10838Same vendor: Eclipse

References