Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4Blast Radius
ecosystem impact- 6 maven packages depend on org.apache.activemq:activemq-all (3 direct, 3 indirect)
- 21 maven packages depend on org.apache.activemq:activemq-broker (14 direct, 7 indirect)
- 31 maven packages depend on org.apache.activemq:activemq-client (8 direct, 23 indirect)
- 4 maven packages depend on org.apache.activemq:activemq-web (4 direct, 0 indirect)
Ecosystem-wide dependent count for version 6.0.0 and other introduced versions.
DescriptionCVE.org
Improper validation and restriction of a classpath path name vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All.
In two instances (when creating a Stomp consumer and also browsing messages in the Web console) an authenticated user provided "key" value could be constructed to traverse the classpath due to path concatenation. As a result, the application is exposed to a classpath path resource loading vulnerability that could potentially be chained together with another attack to lead to exploit.This issue affects Apache ActiveMQ Client: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ Broker: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ All: before 5.19.3, from 6.0.0 before 6.2.2.
Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue. Note: 5.19.3 and 6.2.2 also fix this issue, but that is limited to non-Windows environments due to a path separator resolution bug fixed in 5.19.4 and 6.2.3.
AnalysisAI
Improper path validation in Apache ActiveMQ Client and Broker allows authenticated users to traverse the classpath via crafted 'key' values in Stomp consumer creation and Web console message browsing operations, potentially enabling information disclosure or chaining with secondary attacks for greater impact. Affects ActiveMQ Client/Broker versions before 5.19.3 and 6.0.0-6.2.1; patch available in 5.19.4 and 6.2.3 (5.19.3/6.2.2 have platform-specific limitations). EPSS score of 0.04% indicates l
Technical ContextAI
This vulnerability stems from improper input validation in classpath path handling (CWE-22: Improper Limitation of a Pathname to a Restricted Directory). The root cause is insufficient sanitization when concatenating user-supplied 'key' values with classpath paths, allowing directory traversal sequences (e.g., '../') to escape intended resource boundaries. The vulnerability manifests in two code paths: (1) Stomp consumer creation, where the key parameter is used to construct resource paths without proper canonicalization, and (2) Web console message browsing operations that similarly concatenate user input into classpath resource lookups. The affected products span Apache ActiveMQ Client (CPE: cpe:2.3:a:apache_software_foundation:apache_activemq_client:*:*:*:*:*:*:*:*), ActiveMQ Broker (cpe:2.3:a:apache_software_foundation:apache_activemq_broker:*:*:*:*:*:*:*:*), and ActiveMQ Web console (cpe:2.3:a:apache_software_foundation:apache_activemq_web:*:*:*:*:*:*:*:*). A critical detail noted in vendor guidance: versions 5.19.3 and 6.2.2 contain incomplete fixes that fail on Windows environments due to path separator resolution bugs, requiring upgrade to 5.19.4 or 6.2.3 for full remediation across platforms.
RemediationAI
Upgrade to Apache ActiveMQ 5.19.4 or 6.2.3 immediately, which provide complete fixes for all platforms including Windows. Users on 5.19.3 or 6.2.2 should note these versions partially remediate the issue but contain platform-specific path separator bugs on Windows; upgrades to 5.19.4 or 6.2.3 are required for robust cross-platform protection. No workaround is documented; patching is the sole recommended mitigation. Refer to the Apache ActiveMQ security advisory at https://activemq.apache.org/security-advisories.data/CVE-2026-33227-announcement.txt for download links and detailed upgrade instructions. Systems unable to upgrade immediately should apply the strictest possible access controls to limit authenticated user connections to trusted principals only, and monitor Stomp and Web console access logs for suspicious key parameter patterns (e.g., '../' sequences).
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19586
GHSA-h2h4-5m64-m273