CVE-2026-49432

Name of the Vulnerable Software and Affected Versions Apache ActiveMQ versions prior to 5.19.8 Apache ActiveMQ versions 6.0.0 through 6.2.6 Apache ActiveMQ All versions prior to 5.19.8 Apache ActiveMQ All versions 6.0.0 through 6.2.6 Apache ActiveMQ Stomp versions prior to 5.19.8 Apache ActiveMQ Stomp versions 6.0.0 through 6.2.6

Description Improper input validation in the STOMP connector allows a remote unauthenticated peer to trigger a denial-of-service. By sending a negative content-length, an attacker can cause different failure modes depending on the transport used. In the NIO STOMP transport, the attacker can continuously stream body bytes, causing the per-connection command buffer to exceed configured limits and lead to an Out of Memory (OOM) condition. In the blocking STOMP protocol, the error triggers abnormal transport exception handling, resulting in the closure of the affected connection.

Recommendations Upgrade Apache ActiveMQ to version 5.19.8 or 6.2.7. Upgrade Apache ActiveMQ All to version 5.19.8 or 6.2.7. Upgrade Apache ActiveMQ Stomp to version 5.19.8 or 6.2.7.