Skip to main content

Apache ActiveMQ CVE-2026-42253

| EUVDEUVD-2026-33578 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-01 security@apache.org GHSA-8wm6-6fqh-phmc
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

5
Analysis Generated
Jun 01, 2026 - 15:23 vuln.today
CVSS changed
Jun 01, 2026 - 15:22 NVD
6.1 (MEDIUM)
Patch available
Jun 01, 2026 - 10:01 EUVD
CVE Published
Jun 01, 2026 - 09:16 nvd
MEDIUM 6.1
CVE Published
Jun 01, 2026 - 09:16 nvd
UNKNOWN (no severity yet)

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 4 maven packages depend on org.apache.activemq:activemq-web (4 direct, 0 indirect)

Ecosystem-wide dependent count for version 6.0.0.

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache ActiveMQ, Apache ActiveMQ Web.

The MessageServlet in the ActiveMQ web console API copies every JMS message property into an HTTP response header without any validation. This can allow overwriting and injecting security headers by setting them on JMS messages that are returned by the servlet.

This issue affects Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ Web: before 5.19.7, from 6.0.0 before 6.2.6.

Users are recommended to upgrade to version 5.19.7 or 6.2.6, which fixes the issue. The MessageServlet has now been deprecated and disabled by default.

AnalysisAI

HTTP response header injection in Apache ActiveMQ's web console MessageServlet exposes users to security header override and cross-site scripting attacks. The servlet copies every JMS message property directly into HTTP response headers without sanitization, meaning an attacker who can publish crafted JMS messages to a broker queue can override headers such as Content-Security-Policy or X-Frame-Options when a web console user views those messages. No public exploit has been identified at time of analysis, and EPSS of 0.03% (9th percentile) reflects low observed exploitation probability, though the no-privilege-required CVSS vector and Scope:Changed score signal meaningful impact on browser security posture if exploited.

Technical ContextAI

Apache ActiveMQ's built-in web console exposes a MessageServlet that allows users to browse JMS messages stored in queues and topics. The vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) occurs because this servlet reflects JMS message properties - arbitrary key-value metadata attached to messages - directly into HTTP response headers with no input validation or encoding. This is effectively an HTTP Response Header Injection issue classified under the XSS umbrella: injected headers can suppress or overwrite security directives like Content-Security-Policy, X-Frame-Options, or Strict-Transport-Security, degrading the browser's security posture for the victim's session. Affected CPE ranges cover Apache ActiveMQ and Apache ActiveMQ Web prior to 5.19.7, and from 6.0.0 through versions before 6.2.6. The CVSS Scope:Changed (S:C) reflects that the impact escapes the application boundary and affects the victim's browser context.

RemediationAI

Upgrade Apache ActiveMQ and Apache ActiveMQ Web to version 5.19.7 (for the 5.x branch) or 6.2.6 (for the 6.x branch), both confirmed as patched releases per vendor advisory at https://lists.apache.org/thread/j9vmlc410ht5f28fc98gx75jcbq62j00. In the patched versions, the MessageServlet has been deprecated and disabled by default, eliminating the vulnerable code path entirely. For deployments where immediate upgrade is not feasible, manually disabling or restricting access to the MessageServlet endpoint is the most effective compensating control - note that this will remove the ability to browse JMS messages from the web console. Additionally, restricting network access to the ActiveMQ web console to trusted internal networks or VPN reduces the attacker's ability to leverage injected headers against console users. Enforcing strong broker-level authentication for JMS producers limits who can plant malicious message properties, addressing the upstream condition for exploitation.

Share

CVE-2026-42253 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy