Skip to main content

Apache ActiveMQ CVE-2026-49432

| EUVDEUVD-2026-40284 HIGH
Improper Input Validation (CWE-20)
2026-06-30 apache GHSA-xjwq-9jw5-jf7w
7.5
CVSS 3.1 · Vendor: apache
Share

Severity by source

Vendor (apache) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Remote unauthenticated peer triggers DoS over the network with a simple malformed header (AV:N/AC:L/PR:N/UI:N); impact is availability-only via OOM/connection teardown, so C:N/I:N/A:H.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (apache).

CVSS VectorVendor: apache

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Patch available
Jun 30, 2026 - 12:01 EUVD
Analysis Generated
Jun 30, 2026 - 11:17 vuln.today

DescriptionCVE.org

Improper Input Validation vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Stomp.

A remote unauthenticated peer that can reach an exposed STOMP connector can trigger denial-of-service behavior by sending a negative content-length. For the NIO STOMP transport, an attacker can keep streaming body bytes and grow the per-connection command buffer beyond configured limits to cause OOM. For the blocking STOMP protocol, an error will instead force abnormal transport exception handling for the affected connection and closure. This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ Stomp: before 5.19.8, from 6.0.0 before 6.2.7.

Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.

AnalysisAI

Denial-of-service in Apache ActiveMQ STOMP connectors lets a remote peer that can reach an exposed STOMP port crash or exhaust the broker by sending a negative content-length value. On the NIO STOMP transport the attacker streams body bytes to grow the per-connection command buffer past configured limits and force an out-of-memory condition, while the blocking STOMP transport instead throws an abnormal transport exception that closes the affected connection. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach exposed STOMP connector
Delivery
Open unauthenticated STOMP session
Exploit
Send frame with negative content-length
Execution
Stream body bytes growing command buffer
Persist
Exhaust JVM heap (OOM)
Impact
Broker denial-of-service

Vulnerability AssessmentAI

Exploitation Exploitation requires that an Apache ActiveMQ STOMP connector be enabled and network-reachable by the attacker; the OOM-style impact specifically requires the NIO STOMP transport, whereas the blocking STOMP transport yields only a single-connection abnormal close rather than broker-wide exhaustion. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS score or vector was supplied by the source, so severity must be inferred. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker locates an internet-exposed ActiveMQ STOMP connector and opens a TCP session to it without authenticating. They send a STOMP frame whose content-length header is set to a negative value and, on a NIO transport, continue streaming body bytes; the broker's per-connection command buffer grows past its configured limit and the JVM exhausts heap memory, taking the broker offline. …
Remediation Vendor-released patch: upgrade to Apache ActiveMQ 6.2.7 (for the 6.x line) or 5.19.8 (for the 5.x line), which fix the improper validation of the STOMP content-length header; the same fixed versions apply to the ActiveMQ All and ActiveMQ Stomp distributions, per the Apache advisory at https://lists.apache.org/thread/fsjb26605syqr8xks249h8gkp86t55d2. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all ActiveMQ instances running affected versions (pre-5.19.8 or 6.0.0-6.2.6); implement firewall rules to restrict STOMP port access (default TCP 5672) to internal authorized systems. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-49432 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy