GHSA-mhp6-f224-j2c3
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Network-reachable, low-complexity; PR:L because the attacker must hold a broker connection; impact is primarily disclosure of others' messages (C:H) plus lost delivery to the legitimate consumer (A:L).
Primary rating from Vendor (CNA).
CVSS VectorVendor
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
6Description PRE-NVD
Articles & Coverage 4
AnalysisAI
Unauthorized message consumption in Apache ActiveMQ Classic lets a connected client read from temporary destinations belonging to a different connection, breaking the per-connection isolation that applications rely on. The root cause is that the isolation check is enforced only client-side, so a malicious or rogue client can subscribe to and drain another connection's temporary queue/topic. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) the ability to establish a connection to the target ActiveMQ broker over a network-reachable transport (OpenWire/STOMP/AMQP, etc.), and (2) a victim application that uses Apache ActiveMQ Classic temporary destinations (the request/reply pattern) on the same broker. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor CVSS 3.1 vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N, 7.5) signals a network-reachable, low-complexity issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | On a shared ActiveMQ broker, an application client opens a connection and uses a temporary destination to receive private request/reply messages. An attacker who can also connect to the broker references that same temporary destination and registers a consumer, silently draining or reading the victim's reply messages because the broker only enforced the isolation check client-side. … |
| Remediation | Vendor-released patch: upgrade to 6.2.7 on the 6.x line, or to 5.19.8 on the 5.x line, which add the missing server-side authorization check for temporary destinations (advisory: https://activemq.apache.org/ and https://lists.apache.org/thread/85f3q7mkh71y7qwyn6wvgw0bw4jl06ys). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit deployed ActiveMQ versions and identify systems running affected versions (5.19.x before 5.19.8 or 6.0.x-6.1.x before 6.2.7). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ. Rated medium severity (CVSS 6.9), this vul
Remote code execution in Apache ActiveMQ Broker, ActiveMQ All, and ActiveMQ (versions before 5.19.7 and 6.0.0 before 6.2
Denial of service in Apache ActiveMQ (versions before 5.19.8, and 6.0.0 before 6.2.7) lets an authenticated user crash t
Unbounded heap consumption in Apache ActiveMQ's STOMP NIO codec allows an unauthenticated remote client to crash the bro
Stored cross-site scripting in Apache ActiveMQ Web Console allows an authenticated message producer to inject malicious
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40276