Apache ActiveMQ Flaws Enable Path Traversal and TLS DoS
Apache disclosed two vulnerabilities affecting multiple ActiveMQ components, including Client, Broker, and bundled distributions. CVE-2026-33227 is a low-severity pathname restriction flaw that lets an authenticated user manipulate a supplied key value to traverse the classpath in two cases: when creating a STOMP consumer and when browsing messages through the web console. Apache warned the issue could expose classpath resource loading and potentially be chained with another attack. The flaw affects the 5.x branch before 5.19.3 and the 6.x branch from 6.0.0 before 6.2.2, but Apache said those initial fixes were incomplete on Windows because of path separator handling, and recommended upgrading instead to 5.19.4 or 6.2.3.
Apache also published CVE-2026-39304, an important denial-of-service flaw in ActiveMQ's NIO SSL transports caused by incorrect handling of TLS 1.3 KeyUpdate messages. A client can repeatedly trigger updates and exhaust broker memory in the SSL engine, causing out-of-memory crashes and service disruption. Apache added that related handshake handling is also broken for earlier TLS versions such as TLS 1.2, though those cases lead to hung connections rather than memory exhaustion. The DoS issue affects the 5.x branch before 5.19.4 and the 6.x branch from 6.0.0 before 6.2.4; users are advised to upgrade to 5.19.5 or 6.2.4.
Timeline
Apr 9, 2026
Apache releases upgrade guidance for CVE-2026-39304
Apache said the flaw affects the 5.x branch before 5.19.4 and the 6.x branch from 6.0.0 before 6.2.4, and advised users to upgrade to 5.19.5 or 6.2.4. Apache also noted related TLS handshake handling problems in earlier TLS versions can cause connection hangs rather than out-of-memory conditions.
Apr 9, 2026
Apache discloses CVE-2026-39304 ActiveMQ TLS KeyUpdate DoS flaw
Apache disclosed CVE-2026-39304, an important denial-of-service vulnerability in ActiveMQ NIO SSL transports. A client can abuse TLS 1.3 KeyUpdate handling to exhaust broker memory and trigger out-of-memory service disruption.
Apr 6, 2026
Apache recommends newer ActiveMQ fixes for CVE-2026-33227
Apache said affected versions include the 5.x branch before 5.19.3 and the 6.x branch from 6.0.0 before 6.2.2, but advised upgrading to 5.19.4 or 6.2.3 because the earlier fixes were incomplete on Windows due to a path separator bug. Dawei Wang was credited with discovering the vulnerability.
Apr 6, 2026
Apache discloses CVE-2026-33227 in ActiveMQ
Apache disclosed CVE-2026-33227, a low-severity path traversal-style flaw affecting multiple Apache ActiveMQ components. The issue allows an authenticated user-supplied key value to traverse the classpath in STOMP consumer creation and web console message browsing scenarios.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Affected Products
Sources
Related Stories
Apache ActiveMQ and Artemis Flaws Enable Security Bypass and Multiple Attacks
German authorities issued advisories for **Apache ActiveMQ Artemis** and **Apache ActiveMQ Classic** components after disclosing vulnerabilities that affect the broker, client, and web interfaces. One advisory warns that a flaw in **Apache ActiveMQ Artemis** can allow attackers to **bypass security measures**, raising the risk of unauthorized access or actions within affected messaging environments. A separate advisory reports **multiple vulnerabilities** in **Apache ActiveMQ** across the **Client, Broker, and Web** components, indicating broader exposure for organizations using the messaging platform in enterprise integrations and application back ends. The notices identify the affected Apache messaging products as requiring prompt review and remediation to reduce the risk of compromise in systems that rely on ActiveMQ services.
1 weeks ago
Apache ActiveMQ Jolokia MBean Flaw Enables Authenticated RCE
Apache disclosed **CVE-2026-34197**, an important-severity remote code execution flaw in **Apache ActiveMQ Broker** and **Apache ActiveMQ Classic** that lets authenticated users execute code through the Jolokia JMX-HTTP bridge exposed at `/api/jolokia/`. The default Jolokia access policy permits `exec` operations on ActiveMQ MBeans, allowing attackers to call methods such as `BrokerService.addNetworkConnector(String)` and `BrokerService.addConnector(String)` with a crafted discovery URI. The exploit abuses the VM transport `brokerConfig` parameter to load a remote Spring XML application context via `ResourceXmlApplicationContext`, and Spring may instantiate singleton beans before ActiveMQ validates the configuration, enabling arbitrary code execution in the broker JVM, including through methods like `Runtime.exec()`. Apache said the issue affects versions before **5.19.4** in the 5.x line and **6.0.0 through before 6.2.3** in the 6.x line, and recommends upgrading to **5.19.5** or **6.2.3**; the vulnerability was reported by Naveen Sunkavally of Horizon3.ai.
1 weeks ago
Critical RCE Vulnerability in Apache ActiveMQ NMS AMQP Client
A critical remote code execution (RCE) vulnerability, identified as CVE-2025-54539, has been discovered in the Apache ActiveMQ NMS AMQP Client. This flaw is rated with a CVSS 3.1 score of 9.8, indicating its severe impact and ease of exploitation. The vulnerability arises from the deserialization of untrusted data within the NMS AMQP Client component, which can allow attackers to execute arbitrary code on the server. Security researchers have confirmed that successful exploitation of this vulnerability could lead to full server-side code execution, potentially granting attackers complete control over affected systems. The issue specifically affects deployments using the NMS AMQP Client, a component commonly integrated into enterprise messaging infrastructures. Organizations relying on Apache ActiveMQ for message brokering are at heightened risk if they utilize the vulnerable client library. The vulnerability can be exploited remotely, requiring no prior authentication, which significantly increases the attack surface and urgency for remediation. Security advisories recommend immediate patching or mitigation to prevent exploitation in the wild. The flaw was publicly disclosed on October 16, 2025, prompting rapid response from the Apache ActiveMQ development team and the broader security community. No reports of active exploitation have been confirmed at the time of disclosure, but the critical nature of the bug has led to widespread concern among enterprise users. Technical analysis indicates that the vulnerability stems from improper handling of serialized objects received over the AMQP protocol. Attackers can craft malicious payloads that, when processed by the vulnerable client, trigger arbitrary code execution. The Apache Software Foundation has released updated versions of the NMS AMQP Client to address the issue and urges all users to upgrade immediately. Security experts highlight the importance of reviewing all systems for the presence of the affected library and applying compensating controls where patching is not immediately feasible. The vulnerability underscores the ongoing risks associated with deserialization flaws in widely used open-source components. Organizations are advised to monitor for indicators of compromise and to review their application architectures for similar risks. The incident serves as a reminder of the critical need for secure coding practices and regular vulnerability management in enterprise environments.
1 months ago