PT-2026-45373 · Apache · Activemq

·

CVE-2026-42588

·

Published

2026-05-31

·

Updated

2026-07-04

CVSS v2.0

8.5

High

VectorAV:N/AC:L/Au:S/C:C/I:C/A:N
Name of the Vulnerable Software and Affected Versions Apache ActiveMQ Broker versions prior to 5.19.7 Apache ActiveMQ Broker versions 6.0.0 through 6.2.5 Apache ActiveMQ All versions prior to 5.19.7 Apache ActiveMQ All versions 6.0.0 through 6.2.5 Apache ActiveMQ versions prior to 5.19.7 Apache ActiveMQ versions 6.0.0 through 6.2.5
Description Improper input validation and improper control of code generation lead to a code injection issue. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at the '/api/jolokia/' endpoint on the web console. The default access policy allows execution operations on all ActiveMQ MBeans, specifically the addNetworkConnector(String) function within BrokerService. An authenticated attacker can use a crafted discovery URI to trigger the brokerConfig parameter of the VM transport via a "masterslave://" URL. This allows the loading of a Spring XML application context using ResourceXmlApplicationContext. Since this context instantiates singleton beans before the configuration is validated, arbitrary code can be executed on the broker's JVM through bean factory methods such as Runtime.exec().
Recommendations Upgrade Apache ActiveMQ Broker to version 5.19.7 or 6.2.6. Upgrade Apache ActiveMQ All to version 5.19.7 or 6.2.6. Upgrade Apache ActiveMQ to version 5.19.7 or 6.2.6.

Exploit

Fix

DoS

RCE

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BDU:2026-08456
BIT-ACTIVEMQ-2026-42588
CVE-2026-42588
GHSA-HG6C-8MVR-JQC9
OESA-2026-2723
OESA-2026-2724
OESA-2026-2725

Affected Products

Activemq