Skip to main content

Apache ActiveMQ CVE-2026-40466

| EUVDEUVD-2026-25410 HIGH
Improper Input Validation (CWE-20)
2026-04-24 apache GHSA-w3w2-mpp5-92gm
8.8
CVSS 3.1 · Vendor: apache
Share

Severity by source

Vendor (apache) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Red Hat
8.8 HIGH
qualitative

Primary rating from Vendor (apache).

CVSS VectorVendor: apache

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

10
Analysis Updated
Apr 27, 2026 - 12:42 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 27, 2026 - 12:37 vuln.today
cvss_changed
PoC Detected
Apr 27, 2026 - 12:23 vuln.today
Public exploit code
Patch released
Apr 27, 2026 - 12:23 nvd
Patch available
Analysis Generated
Apr 24, 2026 - 21:30 vuln.today
CVSS changed
Apr 24, 2026 - 19:22 NVD
8.8 (None) 8.8 (HIGH)
Patch available
Apr 24, 2026 - 12:16 EUVD
EUVD ID Assigned
Apr 24, 2026 - 10:30 euvd
EUVD-2026-25410
Analysis Generated
Apr 24, 2026 - 10:30 vuln.today
CVE Published
Apr 24, 2026 - 10:15 nvd
HIGH 8.8

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 6 maven packages depend on org.apache.activemq:activemq-all (3 direct, 3 indirect)
  • 21 maven packages depend on org.apache.activemq:activemq-broker (14 direct, 7 indirect)

Ecosystem-wide dependent count for version 6.0.0 and other introduced versions.

DescriptionCVE.org

Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ.

An authenticated attacker may bypass the fix in CVE-2026-34197 by adding a connector using an HTTP Discovery transport via BrokerView.addNetworkConnector or BrokerView.addConnector through Jolokia if the activemq-http module is on the classpath. A malicious HTTP endpoint can return a VM transport through the HTTP URI which will bypass the validation added in CVE-2026-34197. The attacker can then use the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec().

This issue affects Apache ActiveMQ Broker: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ All: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5.

Users are recommended to upgrade to version 5.19.6 or 6.2.5, which fixes the issue.

AnalysisAI

Remote code execution in Apache ActiveMQ 5.x (before 5.19.6) and 6.x (before 6.2.5) allows authenticated attackers to bypass prior security fixes (CVE-2026-34197) by injecting malicious Spring XML configurations through HTTP Discovery transport connectors via Jolokia. Attackers leverage a VM transport loophole to invoke arbitrary bean factory methods like Runtime.exec() during Spring context initialization. EPSS score is low (0.06%, 19th percentile) with no confirmed active exploitation (not in CISA KEV), suggesting limited widespread targeting despite high CVSS 8.8 score. Exploitation requires authenticated Jolokia access and presence of activemq-http module on classpath.

Technical ContextAI

Apache ActiveMQ is a Java-based message broker implementing JMS (Java Message Service). This vulnerability exploits two underlying technologies: Jolokia (HTTP/JSON bridge for JMX) and Spring Framework's ResourceXmlApplicationContext. The attack chain leverages ActiveMQ's connector management through BrokerView MBeans accessible via Jolokia. When activemq-http module is present, the HTTP Discovery transport protocol accepts remote URIs that can redirect to VM transports. The VM transport's brokerConfig parameter historically allowed loading arbitrary Spring XML contexts. The root cause (CWE-20: Improper Input Validation) stems from insufficient validation of HTTP Discovery responses that return VM transport URIs, bypassing the incomplete fix in CVE-2026-34197. Spring's ResourceXmlApplicationContext eagerly instantiates singleton beans before ActiveMQ validates broker configuration, enabling attackers to execute arbitrary code through bean definitions specifying Runtime.getRuntime().exec() or similar factory methods. The CPE strings confirm all three distribution packages (activemq, activemq-broker, activemq-all) are vulnerable across versions 5.x (<5.19.6) and 6.x (<6.2.5).

RemediationAI

Upgrade immediately to Apache ActiveMQ 5.19.6 (for 5.x deployments) or 6.2.5 (for 6.x deployments) per vendor advisory at https://activemq.apache.org/security-advisories.data/CVE-2026-34197-announcement.txt. For environments where immediate patching is not feasible, apply these compensating controls with noted limitations: (1) Remove activemq-http JAR from broker classpath - eliminates HTTP Discovery transport capability but breaks legitimate HTTP-based network connectors; confirm no production configurations depend on HTTP transport before implementing. (2) Disable Jolokia endpoint entirely by removing jolokia-core JAR or blocking HTTP access to /api/jolokia/* paths at reverse proxy/firewall layer - prevents management via Jolokia but may break monitoring tools relying on JMX-over-HTTP. (3) Restrict Jolokia authentication to trusted administrator accounts only and audit BrokerView.addNetworkConnector/addConnector invocations - reduces attack surface but does not prevent exploitation by compromised admin credentials. (4) Deploy network segmentation to prevent broker JVM from initiating outbound HTTP connections to attacker-controlled endpoints - blocks malicious HTTP Discovery responses but may interfere with legitimate external integrations. All workarounds carry operational trade-offs; vendor patching is the only complete remediation.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Vendor StatusVendor

Share

CVE-2026-40466 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy