Is Apache Activemq Client affected by EUVD-2026-21362?

Apache ActiveMQ versions before 5.19.4 and 6.0.0-6.2.3 are vulnerable to unauthenticated remote denial of service attacks that exhaust broker memory through malformed TLSv1.3 handshake requests, potentially disrupting message-dependent business operations.

EUVD-2026-21362

Q: How to fix EUVD-2026-21362?

Within 24 hours: Identify all ActiveMQ deployments using versions <5.19.4 or 6.0.0-6.2.3 with NIO SSL transports enabled and assess business criticality. Within 7 days: Implement network-level controls (rate limiting, connection throttling on TLSv1.3 KeyUpdate requests) or disable NIO SSL transport if operationally feasible; apply compensating controls below. Within 30 days: Upgrade to ActiveMQ 5.19.4 or later (5.15.x/5.16.x/5.17.x/5.18.x not mentioned as patched-verify vendor advisories) or 6.2.4+ once released and tested.

| CVE-2026-39304 HIGH

2026-04-10 apache

GHSA-5568-6qcg-g7fx

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Patch Released

Apr 11, 2026 - 02:30 nvd

Patch available

Analysis Generated

Apr 10, 2026 - 11:00 vuln.today

EUVD ID Assigned

Apr 10, 2026 - 11:00 euvd

EUVD-2026-21362

CVE Published

Apr 10, 2026 - 10:54 nvd

HIGH 7.5

Description

Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ. ActiveMQ NIO SSL transports do not correctly handle TLSv1.3 handshake KeyUpdates triggered by clients. This makes it possible for a client to rapidly trigger updates which causes the broker to exhaust all its memory in the SSL engine leading to DoS. Note: TLS versions before TLSv1.3 (such as TLSv1.2) are broken but are not vulnerable to OOM. Previous TLS versions require a full handshake renegotiation which causes a connection to hang but not OOM. This is fixed as well. This issue affects Apache ActiveMQ Client: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.4. Users are recommended to upgrade to version 6.2.4 or 5.19.5, which fixes the issue.

Analysis

Out-of-memory denial of service in Apache ActiveMQ allows unauthenticated remote attackers to exhaust broker memory via rapid TLSv1.3 KeyUpdate requests. Affects ActiveMQ Client, Broker, and All distributions versions <5.19.4 and 6.0.0-6.2.3 when NIO SSL transports are used. …

Remediation

Within 24 hours: Identify all ActiveMQ deployments using versions <5.19.4 or 6.0.0-6.2.3 with NIO SSL transports enabled and assess business criticality. Within 7 days: Implement network-level controls (rate limiting, connection throttling on TLSv1.3 KeyUpdate requests) or disable NIO SSL transport if operationally feasible; apply compensating controls below. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +38

POC: 0

EUVD-2026-21362 vulnerability details – vuln.today

Back

EUVD-2026-21362

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

EUVD-2026-21362

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code