Input validation error in ActiveMQ - CVE-2026-49434
Published: July 1, 2026
ActiveMQ
Detailed vulnerability description
The vulnerability allows a remote user to instantiate denied transports inside the broker JVM and spawn a second BrokerService in the same JVM.
The vulnerability exists due to improper input validation in LdapNetworkConnector when processing LDAP entries that match the configured searchBase and searchFilter. A remote user can publish or modify matching LDAP entries to instantiate denied transports inside the broker JVM and spawn a second BrokerService in the same JVM.
Exploitation can be used to fetch an attacker-controlled URL.