Description
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ, Apache ActiveMQ Broker, Apache ActiveMQ All.

An authenticated attacker can use the admin web console page to construct a malicious broker name that bypasses name validation to include an xbean binding that can be later used by a VM transport to load a remote Spring XML application.
The attacker can then use the DestinationView mbean to send a message to trigger a VM transport creation that will reference this malicious broker name which can lead to loading the malicious Spring XML context file.


Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec().

This issue affects Apache ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ Broker: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ All: before 5.19.6, from 6.0.0 before 6.2.5.

Users are recommended to upgrade to version 6.2.5 or 5.19.6, which fixes the issue.
Published: 2026-04-24
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

An authenticated attacker with access to the broker’s admin web console can craft a broker name that contains a malicious xbean binding. When the DestinationView MBean is later used to send a message, this binding triggers the creation of a VM transport that loads the attacker’s Spring XML context file. Because Spring’s ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, the broker’s JVM executes code supplied by the attacker, typically via a Runtime.exec() call. The result is arbitrary code execution on the broker’s host machine.

Affected Systems

Apache ActiveMQ, Apache ActiveMQ Broker, and Apache ActiveMQ All products from versions prior to 5.19.6 and from 6.0.0 through 6.2.4 are vulnerable. Versions 6.2.5 and 5.19.6, and later releases, contain the fix.

Risk and Exploitability

The CVSS score of 8.8 indicates a high overall severity, while the EPSS score of less than 1% suggests that the exploit is currently unlikely to be widely used. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated session to the broker’s admin console and the ability to create or modify broker names, making it a privilege-based risk. Once a privileged user supplies a malicious broker name, the broker can execute arbitrary code in the context of the broker process, potentially granting the attacker full control over the underlying operating system.

Generated by OpenCVE AI on April 28, 2026 at 06:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Apache ActiveMQ 6.2.5 or 5.19.6, which removes the vulnerable broker name validation and VM transport code.
  • Restrict administrative access to the broker web console to the minimum number of trusted users and enforce strong authentication methods.
  • If the Admin console cannot be disabled, consider disabling the DestinationView MBean or any VM transport features that are not required for normal operation.

Generated by OpenCVE AI on April 28, 2026 at 06:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mr6m-xj7v-3cv3 Apache ActiveMQ Vulnerable to Code Injection
History

Mon, 04 May 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 27 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache activemq
Apache activemq Broker
CPEs cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq_broker:*:*:*:*:*:*:*:*
Vendors & Products Apache
Apache activemq
Apache activemq Broker

Fri, 24 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 11:30:00 +0000

Type Values Removed Values Added
References

Fri, 24 Apr 2026 10:30:00 +0000

Type Values Removed Values Added
Description Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ, Apache ActiveMQ Broker, Apache ActiveMQ All. An authenticated attacker can use the admin web console page to construct a malicious broker name that bypasses name validation to include an xbean binding that can be later used by a VM transport to load a remote Spring XML application. The attacker can then use the DestinationView mbean to send a message to trigger a VM transport creation that will reference this malicious broker name which can lead to loading the malicious Spring XML context file. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ Broker: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ All: before 5.19.6, from 6.0.0 before 6.2.5. Users are recommended to upgrade to version 6.2.5 or 5.19.6, which fixes the issue.
Title Apache ActiveMQ, Apache ActiveMQ Broker, Apache ActiveMQ All: Authenticated user can perform RCE via DestinationView MBean exposed by Jolokia
Weaknesses CWE-20
CWE-94
References

Subscriptions

Apache Activemq Activemq Broker
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-25T03:55:54.877Z

Reserved: 2026-04-16T13:02:49.030Z

Link: CVE-2026-41044

cve-icon Vulnrichment

Updated: 2026-04-24T10:35:44.851Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T11:16:22.790

Modified: 2026-04-27T14:49:13.410

Link: CVE-2026-41044

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-24T10:16:53Z

Links: CVE-2026-41044 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T08:45:26Z

Weaknesses