CVE-2026-41044

Name of the Vulnerable Software and Affected Versions Apache ActiveMQ versions prior to 5.19.6 Apache ActiveMQ versions 6.0.0 through 6.2.4 Apache ActiveMQ Broker versions prior to 5.19.6 Apache ActiveMQ Broker versions 6.0.0 through 6.2.4 Apache ActiveMQ All versions prior to 5.19.6 Apache ActiveMQ All versions 6.0.0 through 6.2.4

Description Improper input validation and improper control of code generation allow an authenticated attacker to perform code injection. By using the admin web console, an attacker can create a malicious broker name that bypasses validation to include an xbean binding. This binding can be utilized by a VM transport to load a remote Spring XML application. The attacker can then use the DestinationView mbean to trigger VM transport creation referencing the malicious broker name, leading to the loading of a malicious Spring XML context file. Since ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM via bean factory methods such as Runtime.exec().

Recommendations Upgrade versions prior to 5.19.6 to 5.19.6. Upgrade versions 6.0.0 through 6.2.4 to 6.2.5.