CVE-2025-46548: 
Java vulnerability analysis and mitigation

A vulnerability (CVE-2025-46548) has been identified in Apache Pekko Management affecting versions 1.0.0 before 1.1.1 across multiple variants (pekko-management2.12, pekko-management2.13, and pekko-management_3). The issue was discovered by Per-Ivar Bakke of GE Vernova and disclosed on June 3, 2025. The vulnerability relates to Basic Authentication in Pekko Management when using the Java DSL, where the authenticator may not be properly applied (OSS Security).

The vulnerability has been assigned a CVSS v3.1 Base Score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N. The issue has been classified under CWE-287 (Improper Authentication). The vulnerability affects the Basic Authentication mechanism in Pekko Management's Java DSL implementation (NVD, Wiz).

When Basic Authentication is enabled in Pekko Management using the Java DSL, the authentication mechanism may fail to properly validate credentials, potentially allowing unauthorized access to the Management API. This could lead to exposure of sensitive information and potential system manipulation (AttackerKB).

Users are strongly recommended to upgrade to version 1.1.1 which contains the fix for this vulnerability. Akka users should upgrade to version 1.6.1. As an alternative workaround, organizations should ensure that Management API ports are only available to trusted users (OSS Security).