SB2026041071 - Two vulnerabilities in Apache ActiveMQ

Description

This security bulletin contains information about 2 vulnerabilities.

1) Code Injection (CVE-ID: CVE-2026-34197)

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Green

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to code injection in the Jolokia JMX-HTTP bridge and exposed ActiveMQ MBeans when handling authenticated exec operations with a crafted discovery URI. A remote user can invoke BrokerService.addNetworkConnector(String) or BrokerService.addConnector(String) to execute arbitrary code.

The issue is exposed through the web console endpoint at /api/jolokia/, and exploitation causes remote Spring XML application context loading via the VM transport's brokerConfig parameter before configuration validation completes.

2) Path traversal (CVE-ID: CVE-2026-33227)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to load unintended classpath resources.

The vulnerability exists due to path traversal in Stomp consumer creation and Web console message browsing when processing an authenticated user-supplied key value. A remote user can supply a crafted key value to load unintended classpath resources.

The issue occurs in two instances: when creating a Stomp consumer and when browsing messages in the Web console, and it could potentially be chained with another attack to lead to further exploit.

Remediation

Install update from vendor's website.

References

• https://lists.apache.org/api/email.lua?id=zf08410rvswvdx1sqlvp4x6kz5x8x2qg
• https://lists.apache.org/api/email.lua?id=mp7yyg0wjbgffoh8rltwtmqd8lzqtllf