CVE-2026-49434

Name of the Vulnerable Software and Affected Versions Apache ActiveMQ Broker versions prior to 5.19.8 Apache ActiveMQ Broker versions 6.0.0 through 6.2.6 Apache ActiveMQ versions prior to 5.19.8 Apache ActiveMQ versions 6.0.0 through 6.2.6 Apache ActiveMQ All versions prior to 5.19.8 Apache ActiveMQ All versions 6.0.0 through 6.2.6

Description Improper input validation allows an attacker with permissions to publish or modify entries in LDAP that match the configured searchBase and searchFilter to instantiate denied transports within the broker JVM. This capability can be leveraged to fetch a URL controlled by the attacker and spawn a second BrokerService inside the same JVM.

Recommendations Upgrade Apache ActiveMQ Broker to version 5.19.8 or 6.2.7. Upgrade Apache ActiveMQ to version 5.19.8 or 6.2.7. Upgrade Apache ActiveMQ All to version 5.19.8 or 6.2.7.