What is the CVSS score of CVE-2026-41044?

CVE-2026-41044 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Apache ActiveMQ are affected by CVE-2026-41044?

Apache ActiveMQ versions prior to 5.19.6 and 6.2.5 contain a remote code execution vulnerability requiring authenticated admin console access, allowing attackers to execute arbitrary code on the…. A patch is available.

How to fix or mitigate CVE-2026-41044?

Within 24 hours: identify all ActiveMQ deployments and document current versions. Within 7 days: upgrade to ActiveMQ 5.19.6 or 6.2.5 per Apache advisory and conduct version verification testing. Within 30 days: review admin console access logs for unauthorized activity and audit administrative credential assignments to privileged accounts.

Apache ActiveMQ CVE-2026-41044

EUVD-2026-25412 HIGH

Improper Input Validation (CWE-20)

2026-04-24 apache

GHSA-mr6m-xj7v-3cv3

RCE Apache Java Red Hat

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Re-analysis Queued

Apr 27, 2026 - 14:52 vuln.today

cvss_changed

Patch released

Apr 27, 2026 - 14:49 nvd

Patch available

Analysis Generated

Apr 24, 2026 - 21:30 vuln.today

CVSS changed

Apr 24, 2026 - 19:22 NVD

8.8 (None) 8.8 (HIGH)

Patch available

Apr 24, 2026 - 12:16 EUVD

EUVD ID Assigned

Apr 24, 2026 - 10:30 euvd

EUVD-2026-25412

Analysis Generated

Apr 24, 2026 - 10:30 vuln.today

CVE Published

Apr 24, 2026 - 10:16 nvd

HIGH 8.8

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

6 maven packages depend on org.apache.activemq:activemq-all (3 direct, 3 indirect)
21 maven packages depend on org.apache.activemq:activemq-broker (14 direct, 7 indirect)

Ecosystem-wide dependent count for version 6.0.0 and other introduced versions.

DescriptionNVD

Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ, Apache ActiveMQ Broker, Apache ActiveMQ All.

An authenticated attacker can use the admin web console page to construct a malicious broker name that bypasses name validation to include an xbean binding that can be later used by a VM transport to load a remote Spring XML application. The attacker can then use the DestinationView mbean to send a message to trigger a VM transport creation that will reference this malicious broker name which can lead to loading the malicious Spring XML context file.

Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec().

This issue affects Apache ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ Broker: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ All: before 5.19.6, from 6.0.0 before 6.2.5.

Users are recommended to upgrade to version 6.2.5 or 5.19.6, which fixes the issue.

AnalysisAI

Remote code execution in Apache ActiveMQ allows authenticated attackers with admin console access to inject malicious Spring XML contexts that execute arbitrary code on the broker's JVM. Attackers exploit improper broker name validation to embed xbean bindings, then trigger VM transport creation via DestinationView mbean to load remote Spring XML files containing malicious bean factory methods like Runtime.exec(). …

RemediationAI

Within 24 hours: identify all ActiveMQ deployments and document current versions. Within 7 days: upgrade to ActiveMQ 5.19.6 or 6.2.5 per Apache advisory and conduct version verification testing. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory