SB2026042852 - Multiple vulnerabilities in Apache ActiveMQ

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Cross-site scripting (CVE-ID: CVE-2026-41043)

The vulnerability allows a remote user to inject malicious content into the web console.

The vulnerability exists due to cross-site scripting in ActiveMQ Web Console when browsing queues. A remote user can inject HTML into a JMS selector field and override the content type to HTML to inject malicious content into the web console.

The issue is triggered while browsing queues in the web console.

2) Code Injection (CVE-ID: CVE-2026-40466)

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper input validation and code injection in BrokerView.addNetworkConnector and BrokerView.addConnector through Jolokia when adding a connector using an HTTP discovery transport. A remote user can add a connector that causes a malicious HTTP endpoint to return a VM transport and load a remote Spring XML application context to execute arbitrary code.

Exploitation requires the activemq-http module to be on the classpath.

3) Code Injection (CVE-ID: CVE-2026-41044)

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper input validation and code injection in the admin web console and DestinationView MBean when processing a malicious broker name and triggering VM transport creation. A remote user can construct a malicious broker name and send a message through the DestinationView MBean to execute arbitrary code.

Exploitation requires access to the admin web console and the DestinationView MBean exposed by Jolokia.

Remediation

Install update from vendor's website.

References

• https://lists.apache.org/api/email.lua?id=gb5z8x59jqzg8gl1jfch77fnxbbzbwzd
• https://lists.apache.org/api/email.lua?id=w5gz37d71qt7db5kmh5dtkwzqd0mp9cp
• https://lists.apache.org/api/email.lua?id=h8wdrvvn8w6z0vq81yz5ghwc7x6rf3qp