Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
5Blast Radius
ecosystem impact- 6 maven packages depend on org.apache.activemq:activemq-all (3 direct, 3 indirect)
- 21 maven packages depend on org.apache.activemq:activemq-broker (14 direct, 7 indirect)
Ecosystem-wide dependent count for version 6.0.0 and other introduced versions.
DescriptionCVE.org
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ.
Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String).
An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter using the "masterslave:// " URL which can allow loading a Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6.
Users are recommended to upgrade to version 5.19.7 or 6.2.6, which fixes the issue.
AnalysisAI
Authenticated remote code execution in Apache ActiveMQ Classic (versions before 5.19.7 and 6.0.0 through 6.2.5) is achievable via the Jolokia JMX-HTTP bridge exposed at /api/jolokia/ on the web console. An authenticated attacker can invoke BrokerService.addNetworkConnector with a crafted masterslave:// discovery URI that loads a Spring XML application context, instantiating attacker-controlled singleton beans (e.g., Runtime.exec()) on the broker JVM. No public exploit identified at time of analysis and EPSS is low (0.06%), but the vendor-released patches and CVSS 8.1 score reflect a significant risk to message brokers exposing the web console.
Technical ContextAI
Apache ActiveMQ Classic ships a Jolokia agent (a JMX-over-HTTP bridge) mounted at /api/jolokia/ in the web console, with a default access policy that permits exec operations across all org.apache.activemq:* MBeans. The vulnerability chains an Improper Input Validation flaw (CWE-20) on the BrokerService.addNetworkConnector(String) MBean operation with Spring Framework's ResourceXmlApplicationContext loader. The attacker abuses ActiveMQ's VM transport brokerConfig parameter together with the masterslave:// URL scheme to make the broker load an arbitrary Spring XML application context. Because Spring instantiates all singleton beans before BrokerService validates the configuration, factory methods such as Runtime.exec() execute attacker-supplied commands in the broker's JVM context - converting a JMX configuration operation into full code execution.
RemediationAI
Vendor-released patch: upgrade to Apache ActiveMQ 5.19.7 (for the 5.x branch) or 6.2.6 (for the 6.x branch), per the Apache advisory at https://lists.apache.org/thread/ns0zktfo16s9ql2mmtqtlb6p6xcs45xm. If immediate patching is not possible, restrict network access to the ActiveMQ web console and the /api/jolokia/ endpoint to trusted management networks only (trade-off: breaks remote JMX monitoring tools that rely on Jolokia), tighten the Jolokia access policy in jolokia-access.xml to deny exec operations on the org.apache.activemq:* domain or to allow-list only specific safe MBean operations (trade-off: may disrupt legitimate administrative automation), and rotate or strengthen web-console credentials and remove default/shared admin accounts to reduce the authenticated-attacker surface. Disabling the web console entirely (removing the jetty.xml war deployment) is the strongest workaround if remote administration is not needed, at the cost of losing browser-based management.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same weakness CWE-20 – Improper Input Validation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33577
GHSA-hg6c-8mvr-jqc9