Apache Pekko security advisories

Security information for Apache Pekko

Reporting

Do you want disclose a potential security issue for Apache Pekko? You can read more about the projects’ security policy on their security page, and email your report to the Apache Security Team.

Advisories

This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. It may also lack details found on the project security page. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org

management API basic authentication is not effective

CVE-2025-46548 [CVE] [CVE json] [OSV json]

Last updated: 2025-06-11T17:44:21.510Z

Affected

  • Apache Pekko Management from 1.0.0 before 1.1.1
  • Apache Pekko Management from 1.0.0 before 1.1.1
  • Apache Pekko Management from 1.0.0 before 1.1.1
  • Akka Management before 1.6.1
  • Akka Management before 1.6.1
  • Akka Management before 1.6.1

Description

If you enable Basic Authentication in Pekko Management using the Java DSL, the authenticator may not be properly applied.
Users that rely on authentication instead of making sure the Management API ports are only available to trusted users are recommended to upgrade to version 1.1.1, which fixes this issue.

Akka was affected by the same issue and has released the fix in version 1.6.1.

References

Credits

  • Per-Ivar Bakke of GE Vernova (finder)