Skip to main content

Apache Activemq

9 CVEs product

Monthly

CVE-2026-49434 HIGH PATCH This Week

Improper input validation in Apache ActiveMQ lets an attacker who can write or modify LDAP entries matching the broker's configured searchBase and searchFilter instantiate transports that are otherwise denied inside the broker JVM. By doing so the attacker can force the broker to fetch an attacker-controlled URL and spawn a second BrokerService within the same JVM, an integrity-impacting condition affecting Apache ActiveMQ, ActiveMQ Broker, and ActiveMQ All before 5.19.8 and 6.x before 6.2.7. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Information Disclosure Apache Apache Activemq Broker Apache Activemq Apache Activemq All
NVD VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-49432 HIGH PATCH This Week

Denial-of-service in Apache ActiveMQ STOMP connectors lets a remote peer that can reach an exposed STOMP port crash or exhaust the broker by sending a negative content-length value. On the NIO STOMP transport the attacker streams body bytes to grow the per-connection command buffer past configured limits and force an out-of-memory condition, while the blocking STOMP transport instead throws an abnormal transport exception that closes the affected connection. The flaw affects ActiveMQ, ActiveMQ All, and ActiveMQ Stomp before 5.19.8 and the 6.0.0-6.2.6 line; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Information Disclosure Apache Apache Activemq Apache Activemq All Apache Activemq Stomp
NVD VulDB
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-49877 HIGH PATCH This Week

Privilege escalation via improper authorization in Apache ActiveMQ before 5.19.8 and 6.0.0 before 6.2.7 lets an authenticated low-privilege Web Console user reach the administrative /admin/* paths that should be restricted to administrators. The flaw stems from default Jetty configuration that failed to scope those paths to admin roles, granting low-priv users administrative Web Console functionality. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Apache Apache Activemq
NVD VulDB
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-50734 HIGH PATCH This Week

Denial of service in Apache ActiveMQ (Client, broker, and All distributions) before 5.19.8 and 6.x before 6.2.7 lets a remote unauthenticated attacker crash the broker by sending a crafted WireFormatInfo frame containing an oversized size value during the pre-authentication protocol negotiation. Because the size is consumed before any authentication occurs, the broker attempts a massive memory allocation, triggering an out-of-memory condition and process crash. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV; the fix is shipped in 6.2.7 and 5.19.8.

Denial Of Service Apache Apache Activemq Client Apache Activemq Apache Activemq All
NVD VulDB
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-50750 HIGH PATCH This Week

Remote denial of service in Apache ActiveMQ (versions 5.19.7 and 6.2.6) allows an unauthenticated attacker to exhaust broker heap memory and crash the service with an OutOfMemory error. The flaw is a regression introduced by the fix for CVE-2026-49270: an attacker repeatedly sends OpenWire BrokerInfo commands while never sending the expected ConnectionInfo, causing unbounded state accumulation until the broker dies. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the unauthenticated network reachability makes it a credible availability threat to exposed brokers.

Denial Of Service Apache Apache Activemq Broker Apache Activemq Apache Activemq All
NVD VulDB
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-41044 Maven HIGH PATCH GHSA This Week

Remote code execution in Apache ActiveMQ allows authenticated attackers with admin console access to inject malicious Spring XML contexts that execute arbitrary code on the broker's JVM. Attackers exploit improper broker name validation to embed xbean bindings, then trigger VM transport creation via DestinationView mbean to load remote Spring XML files containing malicious bean factory methods like Runtime.exec(). EPSS score of 0.06% (19th percentile) indicates low observed exploitation probability despite CVSS 8.8, with CISA SSVC confirming no active exploitation and non-automatable attack chain. Vendor patches available: versions 5.19.6 and 6.2.5 address the vulnerability.

RCE Java Apache Apache Activemq Apache Activemq Broker +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-40466 Maven HIGH POC PATCH GHSA This Week

Remote code execution in Apache ActiveMQ 5.x (before 5.19.6) and 6.x (before 6.2.5) allows authenticated attackers to bypass prior security fixes (CVE-2026-34197) by injecting malicious Spring XML configurations through HTTP Discovery transport connectors via Jolokia. Attackers leverage a VM transport loophole to invoke arbitrary bean factory methods like Runtime.exec() during Spring context initialization. EPSS score is low (0.06%, 19th percentile) with no confirmed active exploitation (not in CISA KEV), suggesting limited widespread targeting despite high CVSS 8.8 score. Exploitation requires authenticated Jolokia access and presence of activemq-http module on classpath.

RCE Java Apache Apache Activemq Broker Apache Activemq All +1
NVD VulDB GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-39304 Maven HIGH PATCH GHSA This Week

Out-of-memory denial of service in Apache ActiveMQ allows unauthenticated remote attackers to exhaust broker memory via rapid TLSv1.3 KeyUpdate requests. Affects ActiveMQ Client, Broker, and All distributions versions <5.19.4 and 6.0.0-6.2.3 when NIO SSL transports are used. Vulnerability arises from improper handling of TLSv1.3 handshake KeyUpdate messages, enabling clients to trigger unbounded memory allocation in the SSL engine. No public exploit identified at time of analysis. CVSS 7.5 (AV:N/AC:L/PR:N) indicates network-accessible, low-complexity attack requiring no authentication.

Apache Denial Of Service Apache Activemq Client Apache Activemq Broker Apache Activemq All +1
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-34197 Maven HIGH POC KEV PATCH THREAT NEWS GHSA Act Now

Remote code execution in Apache ActiveMQ Classic versions before 5.19.5 and 6.0.0-6.2.2 allows authenticated attackers to execute arbitrary code on the broker's JVM via Jolokia MBean operations. Attackers with low-privilege web console access can invoke BrokerService.addNetworkConnector() with a malicious discovery URI containing a VM transport brokerConfig parameter that loads remote Spring XML contexts, triggering bean instantiation and code execution through factory methods like Runtime.exec(

Apache Java RCE Apache Activemq Broker Apache Activemq
NVD VulDB GitHub
CVSS 3.1
8.8
EPSS
0.1%
Threat
4.8
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Improper input validation in Apache ActiveMQ lets an attacker who can write or modify LDAP entries matching the broker's configured searchBase and searchFilter instantiate transports that are otherwise denied inside the broker JVM. By doing so the attacker can force the broker to fetch an attacker-controlled URL and spawn a second BrokerService within the same JVM, an integrity-impacting condition affecting Apache ActiveMQ, ActiveMQ Broker, and ActiveMQ All before 5.19.8 and 6.x before 6.2.7. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Information Disclosure Apache Apache Activemq Broker +2
NVD VulDB
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Denial-of-service in Apache ActiveMQ STOMP connectors lets a remote peer that can reach an exposed STOMP port crash or exhaust the broker by sending a negative content-length value. On the NIO STOMP transport the attacker streams body bytes to grow the per-connection command buffer past configured limits and force an out-of-memory condition, while the blocking STOMP transport instead throws an abnormal transport exception that closes the affected connection. The flaw affects ActiveMQ, ActiveMQ All, and ActiveMQ Stomp before 5.19.8 and the 6.0.0-6.2.6 line; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Information Disclosure Apache Apache Activemq +2
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Privilege escalation via improper authorization in Apache ActiveMQ before 5.19.8 and 6.0.0 before 6.2.7 lets an authenticated low-privilege Web Console user reach the administrative /admin/* paths that should be restricted to administrators. The flaw stems from default Jetty configuration that failed to scope those paths to admin roles, granting low-priv users administrative Web Console functionality. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Apache Apache Activemq
NVD VulDB
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Denial of service in Apache ActiveMQ (Client, broker, and All distributions) before 5.19.8 and 6.x before 6.2.7 lets a remote unauthenticated attacker crash the broker by sending a crafted WireFormatInfo frame containing an oversized size value during the pre-authentication protocol negotiation. Because the size is consumed before any authentication occurs, the broker attempts a massive memory allocation, triggering an out-of-memory condition and process crash. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV; the fix is shipped in 6.2.7 and 5.19.8.

Denial Of Service Apache Apache Activemq Client +2
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote denial of service in Apache ActiveMQ (versions 5.19.7 and 6.2.6) allows an unauthenticated attacker to exhaust broker heap memory and crash the service with an OutOfMemory error. The flaw is a regression introduced by the fix for CVE-2026-49270: an attacker repeatedly sends OpenWire BrokerInfo commands while never sending the expected ConnectionInfo, causing unbounded state accumulation until the broker dies. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the unauthenticated network reachability makes it a credible availability threat to exposed brokers.

Denial Of Service Apache Apache Activemq Broker +2
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Apache ActiveMQ allows authenticated attackers with admin console access to inject malicious Spring XML contexts that execute arbitrary code on the broker's JVM. Attackers exploit improper broker name validation to embed xbean bindings, then trigger VM transport creation via DestinationView mbean to load remote Spring XML files containing malicious bean factory methods like Runtime.exec(). EPSS score of 0.06% (19th percentile) indicates low observed exploitation probability despite CVSS 8.8, with CISA SSVC confirming no active exploitation and non-automatable attack chain. Vendor patches available: versions 5.19.6 and 6.2.5 address the vulnerability.

RCE Java Apache +3
NVD VulDB
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

Remote code execution in Apache ActiveMQ 5.x (before 5.19.6) and 6.x (before 6.2.5) allows authenticated attackers to bypass prior security fixes (CVE-2026-34197) by injecting malicious Spring XML configurations through HTTP Discovery transport connectors via Jolokia. Attackers leverage a VM transport loophole to invoke arbitrary bean factory methods like Runtime.exec() during Spring context initialization. EPSS score is low (0.06%, 19th percentile) with no confirmed active exploitation (not in CISA KEV), suggesting limited widespread targeting despite high CVSS 8.8 score. Exploitation requires authenticated Jolokia access and presence of activemq-http module on classpath.

RCE Java Apache +3
NVD VulDB GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Out-of-memory denial of service in Apache ActiveMQ allows unauthenticated remote attackers to exhaust broker memory via rapid TLSv1.3 KeyUpdate requests. Affects ActiveMQ Client, Broker, and All distributions versions <5.19.4 and 6.0.0-6.2.3 when NIO SSL transports are used. Vulnerability arises from improper handling of TLSv1.3 handshake KeyUpdate messages, enabling clients to trigger unbounded memory allocation in the SSL engine. No public exploit identified at time of analysis. CVSS 7.5 (AV:N/AC:L/PR:N) indicates network-accessible, low-complexity attack requiring no authentication.

Apache Denial Of Service Apache Activemq Client +3
NVD VulDB
EPSS 0% 4.8 CVSS 8.8
HIGH POC KEV PATCH THREAT Act Now

Remote code execution in Apache ActiveMQ Classic versions before 5.19.5 and 6.0.0-6.2.2 allows authenticated attackers to execute arbitrary code on the broker's JVM via Jolokia MBean operations. Attackers with low-privilege web console access can invoke BrokerService.addNetworkConnector() with a malicious discovery URI containing a VM transport brokerConfig parameter that loads remote Spring XML contexts, triggering bean instantiation and code execution through factory methods like Runtime.exec(

Apache Java RCE +2
NVD VulDB GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy