SB2026070164 - Multiple vulnerabilities in Apache ActiveMQ
Published: July 1, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 9 vulnerabilities.
1) Input validation error (CVE-ID: CVE-2026-49434)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to instantiate denied transports inside the broker JVM and spawn a second BrokerService in the same JVM.
The vulnerability exists due to improper input validation in LdapNetworkConnector when processing LDAP entries that match the configured searchBase and searchFilter. A remote user can publish or modify matching LDAP entries to instantiate denied transports inside the broker JVM and spawn a second BrokerService in the same JVM.
Exploitation can be used to fetch an attacker-controlled URL.
2) Input validation error (CVE-ID: CVE-2026-49432)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in the STOMP connector when processing STOMP frames with a negative content-length. A remote attacker can send a specially crafted STOMP frame to cause a denial of service.
For the NIO STOMP transport, exploitation can grow the per-connection command buffer beyond configured limits and lead to out-of-memory conditions. For the blocking STOMP protocol, exploitation causes abnormal transport exception handling for the affected connection and its closure.
3) Improper Authorization (CVE-ID: CVE-2026-49877)
CWE-ID: CWE-285 - Improper Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to access administrative functionality.
The vulnerability exists due to improper authorization in the Web Console /admin/* paths when handling requests from authenticated low-privilege Web Console users. A remote user can access /admin/* paths to access administrative functionality.
The issue is caused by default Jetty settings that do not restrict those paths to administrators only.
4) Uncontrolled Memory Allocation (CVE-ID: CVE-2026-50734)
CWE-ID: CWE-789 - Uncontrolled Memory Allocation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to memory allocation with excessive size value in OpenWire wire format negotiation when processing a WireFormatInfo frame during pre-authentication negotiation. A remote attacker can send a crafted WireFormatInfo frame with a malicious large size value to cause a denial of service.
The issue can trigger out-of-memory conditions and crash the broker.
5) Resource exhaustion (CVE-ID: CVE-2026-50750)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled resource consumption in the OpenWire broker handling logic when processing repeated BrokerInfo commands without a ConnectionInfo. A remote attacker can send repeated BrokerInfo commands to cause a denial of service.
The issue can exhaust memory and crash the broker.
6) Uncontrolled Memory Allocation (CVE-ID: CVE-2026-53916)
CWE-ID: CWE-789 - Uncontrolled Memory Allocation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to memory allocation with excessive size value in the STOMP NIO codec when handling header bytes on a STOMP NIO connection. A remote attacker can send header bytes that never terminate to cause a denial of service.
The issue can exhaust the JVM heap.
7) Uncontrolled Memory Allocation (CVE-ID: CVE-2026-53917)
CWE-ID: CWE-789 - Uncontrolled Memory Allocation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to memory allocation with excessive size value in OpenWire message property map unmarshalling when processing a crafted OpenWire message with a large encoded map size value. A remote user can send a specially crafted OpenWire message to cause a denial of service.
The issue can trigger out-of-memory conditions and crash the broker.
8) Missing Authorization (CVE-ID: CVE-2026-54475)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to consume messages from another connection's temporary destination.
The vulnerability exists due to improper access control in temporary destination ownership enforcement when handling access to temporary destinations. A remote user can use a different connection to consume from another connection's temporary destination to consume messages from another connection's temporary destination.
The isolation of temporary destinations is only checked in the client.
9) Cross-site scripting (CVE-ID: CVE-2026-52760)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary script in an administrator's browser.
The vulnerability exists due to cross-site scripting in the browse page of the ActiveMQ Web Console when rendering a JMS message ID without sanitization. A remote user can send a crafted message with a malicious JMS message ID to execute arbitrary script in an administrator's browser.
User interaction is required when an administrator browses the queue in the Web Console.
Remediation
Install update from vendor's website.
References
- https://lists.apache.org/api/email.lua?id=o2y6jw0b34o6b2qy9m8kxq03cct6cpqr
- https://activemq.apache.org/
- https://lists.apache.org/api/email.lua?id=tj6z9phn7trkp6vcfp8q3gonlhg2n3jm
- https://lists.apache.org/api/email.lua?id=343od2osgvy7l1dkyxxtqhohoxl35xc6
- https://lists.apache.org/api/email.lua?id=16sb1zgwjz6zdk062bvs6gbhqjglbpsz
- https://lists.apache.org/api/email.lua?id=y0o2cktxwpk8jmwgqwnmbt74j1tm7bm2
- https://lists.apache.org/api/email.lua?id=ksg2zlhpgz18os0wff18rg81y373dp0m
- https://lists.apache.org/api/email.lua?id=y2k2pm4mx2w7b2jmol2qtxspln820ddx
- https://lists.apache.org/api/email.lua?id=rs9dnr6fcpm6ns19jj5po4my8yrox41l
- https://lists.apache.org/api/email.lua?id=g5klj944m0krv08fp9xlrrmyv2znkox3