What is the CVSS score of CVE-2026-40466?

CVE-2026-40466 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Apache ActiveMQ are affected by CVE-2026-40466?

Apache ActiveMQ versions 5.x (before 5.19.6) and 6.x (before 6.2.5) contain a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by injecting…. A patch is available.

Is there a public PoC exploit available for CVE-2026-40466?

Yes, a public proof-of-concept exploit is available for CVE-2026-40466. Prioritise patching immediately. EPSS: 0.1%.

Apache ActiveMQ CVE-2026-40466

EUVD-2026-25410 HIGH

Improper Input Validation (CWE-20)

2026-04-24 apache

GHSA-w3w2-mpp5-92gm

RCE Apache Java Red Hat

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 27, 2026 - 12:42 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Apr 27, 2026 - 12:37 vuln.today

cvss_changed

PoC Detected

Apr 27, 2026 - 12:23 vuln.today

Public exploit code

Patch released

Apr 27, 2026 - 12:23 nvd

Patch available

Analysis Generated

Apr 24, 2026 - 21:30 vuln.today

CVSS changed

Apr 24, 2026 - 19:22 NVD

8.8 (None) 8.8 (HIGH)

Patch available

Apr 24, 2026 - 12:16 EUVD

EUVD ID Assigned

Apr 24, 2026 - 10:30 euvd

EUVD-2026-25410

Analysis Generated

Apr 24, 2026 - 10:30 vuln.today

CVE Published

Apr 24, 2026 - 10:15 nvd

HIGH 8.8

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

6 maven packages depend on org.apache.activemq:activemq-all (3 direct, 3 indirect)
21 maven packages depend on org.apache.activemq:activemq-broker (14 direct, 7 indirect)

Ecosystem-wide dependent count for version 6.0.0 and other introduced versions.

DescriptionNVD

Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ.

An authenticated attacker may bypass the fix in CVE-2026-34197 by adding a connector using an HTTP Discovery transport via BrokerView.addNetworkConnector or BrokerView.addConnector through Jolokia if the activemq-http module is on the classpath. A malicious HTTP endpoint can return a VM transport through the HTTP URI which will bypass the validation added in CVE-2026-34197. The attacker can then use the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec().

This issue affects Apache ActiveMQ Broker: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ All: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5.

Users are recommended to upgrade to version 5.19.6 or 6.2.5, which fixes the issue.

AnalysisAI

Remote code execution in Apache ActiveMQ 5.x (before 5.19.6) and 6.x (before 6.2.5) allows authenticated attackers to bypass prior security fixes (CVE-2026-34197) by injecting malicious Spring XML configurations through HTTP Discovery transport connectors via Jolokia. Attackers leverage a VM transport loophole to invoke arbitrary bean factory methods like Runtime.exec() during Spring context initialization. …

RemediationAI

Within 24 hours: Identify all ActiveMQ deployments running versions 5.x or 6.x and verify activemq-http module presence; document current versions and Jolokia exposure. Within 7 days: Apply vendor-released patches (ActiveMQ 5.19.6 or later for 5.x; 6.2.5 or later for 6.x) to all affected instances; restart services and verify successful upgrade. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory