Main Vulnerability Database Vulnerabilities #VU128313

Code Injection in ActiveMQ - CVE-2026-41044

Published: April 28, 2026

Vulnerability identifier: #VU128313

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-41044

CWE-ID: CWE-94

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
ActiveMQ

Software vendor:
Apache Foundation

Description

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper input validation and code injection in the admin web console and DestinationView MBean when processing a malicious broker name and triggering VM transport creation. A remote user can construct a malicious broker name and send a message through the DestinationView MBean to execute arbitrary code.

Exploitation requires access to the admin web console and the DestinationView MBean exposed by Jolokia.

Remediation

Install security update from vendor's website.

External links

https://lists.apache.org/api/email.lua?id=h8wdrvvn8w6z0vq81yz5ghwc7x6rf3qp

Code Injection in ActiveMQ - CVE-2026-41044

Description

Remediation

External links

Please verify you're human