Apache Pekko security advisories
Security information for Apache Pekko
Reporting
Do you want disclose a potential security issue for Apache Pekko? You can read more about the projects’ security policy on their security page, and email your report to the Apache Security Team.
Advisories
This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. It may also lack details found on the project security page. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org
management API basic authentication is not effective
CVE-2025-46548 [CVE] [CVE json] [OSV json]
Last updated: 2025-06-11T17:44:21.510Z
Affected
- Apache Pekko Management from 1.0.0 before 1.1.1
- Apache Pekko Management from 1.0.0 before 1.1.1
- Apache Pekko Management from 1.0.0 before 1.1.1
- Akka Management before 1.6.1
- Akka Management before 1.6.1
- Akka Management before 1.6.1
Description
If you enable Basic Authentication in Pekko Management using the Java DSL, the authenticator may not be properly applied.
Users that rely on authentication instead of making sure the Management API ports are only available to trusted users are recommended to upgrade to version 1.1.1, which fixes this issue.
Akka was affected by the same issue and has released the fix in version 1.6.1.
References
- https://github.com/apache/pekko-management/pull/418
- https://github.com/akka/akka-management/pull/1385
- https://lists.apache.org/thread/tnd84hj9w0ggjcft6cp12q67d5jzhp66
Credits
- Per-Ivar Bakke of GE Vernova (finder)