CVE-2026-33227

Name of the Vulnerable Software and Affected Versions Apache ActiveMQ Client versions prior to 5.19.3, from 6.0.0 through 6.2.2 Apache ActiveMQ Broker versions prior to 5.19.3, from 6.0.0 through 6.2.2 Apache ActiveMQ All versions prior to 5.19.3, from 6.0.0 through 6.2.2

Description An improper validation and restriction of a classpath path name issue exists in Apache ActiveMQ Client, Broker, and All. An authenticated user-supplied 'key' value can be crafted to traverse the classpath due to path concatenation, potentially leading to a classpath path resource loading issue that could be chained with another attack.

Recommendations Upgrade to version 5.19.4 or 6.2.3 to resolve the issue. Note that versions 5.19.3 and 6.2.2 also address this issue, but only in non-Windows environments.