Skip to main content

Apache ActiveMQ CVE-2026-42588

| EUVDEUVD-2026-33577 HIGH
Improper Input Validation (CWE-20)
2026-06-01 security@apache.org GHSA-hg6c-8mvr-jqc9
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

5
Analysis Generated
Jun 01, 2026 - 15:23 vuln.today
CVSS changed
Jun 01, 2026 - 15:22 NVD
8.1 (HIGH)
Patch available
Jun 01, 2026 - 10:01 EUVD
CVE Published
Jun 01, 2026 - 09:16 nvd
HIGH 8.1
CVE Published
Jun 01, 2026 - 09:16 nvd
UNKNOWN (no severity yet)

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 6 maven packages depend on org.apache.activemq:activemq-all (3 direct, 3 indirect)
  • 21 maven packages depend on org.apache.activemq:activemq-broker (14 direct, 7 indirect)

Ecosystem-wide dependent count for version 6.0.0 and other introduced versions.

DescriptionCVE.org

Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ.

Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String).

An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter using the "masterslave:// " URL which can allow loading a Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6.

Users are recommended to upgrade to version 5.19.7 or 6.2.6, which fixes the issue.

AnalysisAI

Authenticated remote code execution in Apache ActiveMQ Classic (versions before 5.19.7 and 6.0.0 through 6.2.5) is achievable via the Jolokia JMX-HTTP bridge exposed at /api/jolokia/ on the web console. An authenticated attacker can invoke BrokerService.addNetworkConnector with a crafted masterslave:// discovery URI that loads a Spring XML application context, instantiating attacker-controlled singleton beans (e.g., Runtime.exec()) on the broker JVM. No public exploit identified at time of analysis and EPSS is low (0.06%), but the vendor-released patches and CVSS 8.1 score reflect a significant risk to message brokers exposing the web console.

Technical ContextAI

Apache ActiveMQ Classic ships a Jolokia agent (a JMX-over-HTTP bridge) mounted at /api/jolokia/ in the web console, with a default access policy that permits exec operations across all org.apache.activemq:* MBeans. The vulnerability chains an Improper Input Validation flaw (CWE-20) on the BrokerService.addNetworkConnector(String) MBean operation with Spring Framework's ResourceXmlApplicationContext loader. The attacker abuses ActiveMQ's VM transport brokerConfig parameter together with the masterslave:// URL scheme to make the broker load an arbitrary Spring XML application context. Because Spring instantiates all singleton beans before BrokerService validates the configuration, factory methods such as Runtime.exec() execute attacker-supplied commands in the broker's JVM context - converting a JMX configuration operation into full code execution.

RemediationAI

Vendor-released patch: upgrade to Apache ActiveMQ 5.19.7 (for the 5.x branch) or 6.2.6 (for the 6.x branch), per the Apache advisory at https://lists.apache.org/thread/ns0zktfo16s9ql2mmtqtlb6p6xcs45xm. If immediate patching is not possible, restrict network access to the ActiveMQ web console and the /api/jolokia/ endpoint to trusted management networks only (trade-off: breaks remote JMX monitoring tools that rely on Jolokia), tighten the Jolokia access policy in jolokia-access.xml to deny exec operations on the org.apache.activemq:* domain or to allow-list only specific safe MBean operations (trade-off: may disrupt legitimate administrative automation), and rotate or strengthen web-console credentials and remove default/shared admin accounts to reduce the authenticated-attacker surface. Disabling the web console entirely (removing the jetty.xml war deployment) is the strongest workaround if remote administration is not needed, at the cost of losing browser-based management.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

CVE-2026-42588 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy