Skip to main content

Apache EUVDEUVD-2026-19586

| CVE-2026-33227 MEDIUM
Path Traversal (CWE-22)
2026-04-07 apache GHSA-h2h4-5m64-m273
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Red Hat
4.3 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Apr 08, 2026 - 20:30 nvd
Patch available
EUVD ID Assigned
Apr 07, 2026 - 08:30 euvd
EUVD-2026-19586
Analysis Generated
Apr 07, 2026 - 08:30 vuln.today
CVE Published
Apr 07, 2026 - 07:50 nvd
MEDIUM 4.3

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 6 maven packages depend on org.apache.activemq:activemq-all (3 direct, 3 indirect)
  • 21 maven packages depend on org.apache.activemq:activemq-broker (14 direct, 7 indirect)
  • 31 maven packages depend on org.apache.activemq:activemq-client (8 direct, 23 indirect)
  • 4 maven packages depend on org.apache.activemq:activemq-web (4 direct, 0 indirect)

Ecosystem-wide dependent count for version 6.0.0 and other introduced versions.

DescriptionCVE.org

Improper validation and restriction of a classpath path name vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All.

In two instances (when creating a Stomp consumer and also browsing messages in the Web console) an authenticated user provided "key" value could be constructed to traverse the classpath due to path concatenation. As a result, the application is exposed to a classpath path resource loading vulnerability that could potentially be chained together with another attack to lead to exploit.This issue affects Apache ActiveMQ Client: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ Broker: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ All: before 5.19.3, from 6.0.0 before 6.2.2.

Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue. Note: 5.19.3 and 6.2.2 also fix this issue, but that is limited to non-Windows environments due to a path separator resolution bug fixed in 5.19.4 and 6.2.3.

AnalysisAI

Improper path validation in Apache ActiveMQ Client and Broker allows authenticated users to traverse the classpath via crafted 'key' values in Stomp consumer creation and Web console message browsing operations, potentially enabling information disclosure or chaining with secondary attacks for greater impact. Affects ActiveMQ Client/Broker versions before 5.19.3 and 6.0.0-6.2.1; patch available in 5.19.4 and 6.2.3 (5.19.3/6.2.2 have platform-specific limitations). EPSS score of 0.04% indicates l

Technical ContextAI

This vulnerability stems from improper input validation in classpath path handling (CWE-22: Improper Limitation of a Pathname to a Restricted Directory). The root cause is insufficient sanitization when concatenating user-supplied 'key' values with classpath paths, allowing directory traversal sequences (e.g., '../') to escape intended resource boundaries. The vulnerability manifests in two code paths: (1) Stomp consumer creation, where the key parameter is used to construct resource paths without proper canonicalization, and (2) Web console message browsing operations that similarly concatenate user input into classpath resource lookups. The affected products span Apache ActiveMQ Client (CPE: cpe:2.3:a:apache_software_foundation:apache_activemq_client:*:*:*:*:*:*:*:*), ActiveMQ Broker (cpe:2.3:a:apache_software_foundation:apache_activemq_broker:*:*:*:*:*:*:*:*), and ActiveMQ Web console (cpe:2.3:a:apache_software_foundation:apache_activemq_web:*:*:*:*:*:*:*:*). A critical detail noted in vendor guidance: versions 5.19.3 and 6.2.2 contain incomplete fixes that fail on Windows environments due to path separator resolution bugs, requiring upgrade to 5.19.4 or 6.2.3 for full remediation across platforms.

RemediationAI

Upgrade to Apache ActiveMQ 5.19.4 or 6.2.3 immediately, which provide complete fixes for all platforms including Windows. Users on 5.19.3 or 6.2.2 should note these versions partially remediate the issue but contain platform-specific path separator bugs on Windows; upgrades to 5.19.4 or 6.2.3 are required for robust cross-platform protection. No workaround is documented; patching is the sole recommended mitigation. Refer to the Apache ActiveMQ security advisory at https://activemq.apache.org/security-advisories.data/CVE-2026-33227-announcement.txt for download links and detailed upgrade instructions. Systems unable to upgrade immediately should apply the strictest possible access controls to limit authenticated user connections to trusted principals only, and monitor Stomp and Web console access logs for suspicious key parameter patterns (e.g., '../' sequences).

Vendor StatusVendor

Share

EUVD-2026-19586 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy