Description
Improper validation and restriction of a classpath path name vulnerability in

Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ Web, Apache ActiveMQ.



In two instances (when creating a Stomp consumer and also browsing messages in the Web console) an authenticated user provided "key" value could be constructed to traverse the classpath due to path concatenation. As a result, the application is exposed to a classpath path resource loading vulnerability that could potentially be chained together with another attack to lead to exploit.





This issue affects Apache ActiveMQ Client: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ Broker: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ All: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ Web: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ: before 5.19.3, from 6.0.0 before 6.2.2.

Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue. Note: 5.19.3 and 6.2.2 also fix this issue, but that is limited to non-Windows environments due to a path separator resolution bug fixed in 5.19.4 and 6.2.3.
Published: 2026-04-07
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Classpath traversal enabling arbitrary classpath resource loading
Action: Immediate Patch
AI Analysis

Impact

An authenticated user can supply a specially crafted key value when creating a STOMP consumer or browsing messages via the Web console. The application concatenates this value to a classpath path without proper validation or restriction, enabling attackers to traverse the classpath boundary. This flaw allows arbitrary classpath resources to be loaded, potentially exposing sensitive files or enabling further attacks when chained with other vulnerabilities. The weakness is identified as a Path Traversal (CWE‑22).

Affected Systems

All major ActiveMQ components—Client, Broker, All, Web, and the core product—are affected in versions prior to 5.19.3 and from 6.0.0 to, but not including, 6.2.2. Users running 5.x should move to 5.19.4 or any 5.19.3 or later on non‑Windows systems. Users on the 6.x line should upgrade to 6.2.3 or any 6.2.2 on non‑Windows, as those releases patch path‑separator handling and classpath traversal checks.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, and the EPSS score is below 1%, with the vulnerability not listed in the CISA KEV catalog, suggesting limited likelihood of exploitation in the wild. However, because the flaw requires authentication and can expose sensitive resources, it may serve as a stepping stone for additional attacks, particularly if the application runs with elevated privileges. Exploitability depends on the environment and the privileges of the running process.

Generated by OpenCVE AI on April 8, 2026 at 17:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify your ActiveMQ version and operating system.
  • If running an affected release, upgrade to 5.19.4 or 6.2.3 (or to 5.19.3/6.2.2 on non‑Windows).
  • After upgrading, confirm that creating a STOMP consumer and browsing messages in the Web console no longer allows path traversal.

Generated by OpenCVE AI on April 8, 2026 at 17:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-h2h4-5m64-m273 Apache ActiveMQ: Improper validation and restriction of a classpath path name
History

Mon, 20 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache activemq Broker
Apache activemq Web
CPEs cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq_broker:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq_web:*:*:*:*:*:*:*:*
Vendors & Products Apache activemq Broker
Apache activemq Web

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache activemq
Vendors & Products Apache
Apache activemq

Wed, 08 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Description Improper validation and restriction of a classpath path name vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All. In two instances (when creating a Stomp consumer and also browsing messages in the Web console) an authenticated user provided "key" value could be constructed to traverse the classpath due to path concatenation. As a result, the application is exposed to a classpath path resource loading vulnerability that could potentially be chained together with another attack to lead to exploit.This issue affects Apache ActiveMQ Client: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ Broker: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ All: before 5.19.3, from 6.0.0 before 6.2.2. Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue. Note: 5.19.3 and 6.2.2 also fix this issue, but that is limited to non-Windows environments due to a path separator resolution bug fixed in 5.19.4 and 6.2.3. Improper validation and restriction of a classpath path name vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ Web, Apache ActiveMQ. In two instances (when creating a Stomp consumer and also browsing messages in the Web console) an authenticated user provided "key" value could be constructed to traverse the classpath due to path concatenation. As a result, the application is exposed to a classpath path resource loading vulnerability that could potentially be chained together with another attack to lead to exploit. This issue affects Apache ActiveMQ Client: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ Broker: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ All: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ Web: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ: before 5.19.3, from 6.0.0 before 6.2.2. Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue. Note: 5.19.3 and 6.2.2 also fix this issue, but that is limited to non-Windows environments due to a path separator resolution bug fixed in 5.19.4 and 6.2.3.
Title Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ Web: Improper Limitation of a Pathname to a Restricted Classpath Directory Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ Web, Apache ActiveMQ: Improper Limitation of a Pathname to a Restricted Classpath Directory

Wed, 08 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 09:30:00 +0000

Type Values Removed Values Added
References

Tue, 07 Apr 2026 08:15:00 +0000

Type Values Removed Values Added
Description Improper validation and restriction of a classpath path name vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All. In two instances (when creating a Stomp consumer and also browsing messages in the Web console) an authenticated user provided "key" value could be constructed to traverse the classpath due to path concatenation. As a result, the application is exposed to a classpath path resource loading vulnerability that could potentially be chained together with another attack to lead to exploit.This issue affects Apache ActiveMQ Client: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ Broker: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ All: before 5.19.3, from 6.0.0 before 6.2.2. Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue. Note: 5.19.3 and 6.2.2 also fix this issue, but that is limited to non-Windows environments due to a path separator resolution bug fixed in 5.19.4 and 6.2.3.
Title Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ Web: Improper Limitation of a Pathname to a Restricted Classpath Directory
Weaknesses CWE-22
References

Subscriptions

Apache Activemq Activemq Broker Activemq Web
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-08T15:44:39.427Z

Reserved: 2026-03-18T00:08:09.668Z

Link: CVE-2026-33227

cve-icon Vulnrichment

Updated: 2026-04-07T08:29:12.768Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T09:16:20.750

Modified: 2026-04-20T16:50:36.487

Link: CVE-2026-33227

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-07T07:50:58Z

Links: CVE-2026-33227 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:13:05Z

Weaknesses