Description
Improper Input Validation vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Stomp.

A remote unauthenticated peer that can reach an exposed STOMP connector can trigger denial-of-service behavior by sending a negative content-length. For the NIO STOMP transport, an attacker can keep streaming body bytes and grow the per-connection command buffer beyond configured limits to cause OOM. For the blocking STOMP protocol, an error will instead force abnormal transport exception handling for the affected connection and closure.
This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ Stomp: before 5.19.8, from 6.0.0 before 6.2.7.




Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.
Published: 2026-06-30
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Apache ActiveMQ, Apache ActiveMQ All, and Apache ActiveMQ Stomp are vulnerable to a denial of service trigger when a remote, unauthenticated peer connects to an exposed STOMP connector and sends a frame with a negative content‑length value. This negative length causes the server to incorrectly handle the payload: the NIO STOMP transport keeps consuming the network stream, enlarging the per‑connection command buffer until it exceeds the configured limits and results in out‑of‑memory conditions, while the blocking STOMP protocol forces abnormal transport exception handling, leading to premature connection shutdown. The vulnerability is an instance of improper input validation (CWE‑20).

Affected Systems

The affected products are Apache ActiveMQ, Apache ActiveMQ All, and Apache ActiveMQ Stomp. Versions before 5.19.8 and all releases in the 6.0.0 to 6.2.6 range are impacted; upgrading to 5.19.8 or 6.2.7 removes the flaw.

Risk and Exploitability

The CVSS score is 7.5, indicating a high severity. The EPSS score is not available, but the vulnerability allows an unauthenticated attacker to trigger service disruption by sending a frame with a negative content‑length to an exposed STOMP connector. This can cause OOM in the NIO transport or abnormal exception handling in the blocking protocol, resulting in a denial of service. The flaw is not listed in the CISA KEV catalog, and the attack can be carried out over any network where the STOMP port is reachable.

Generated by OpenCVE AI on June 30, 2026 at 17:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache ActiveMQ to version 5.19.8 or 6.2.7, which contains the fix for the negative content‑length handling.
  • Restrict access to the STOMP connector to trusted networks or disable the connector if it is not required for operations.
  • If an upgrade cannot be performed immediately, consider implementing network filtering or rate‑limiting on the STOMP port and monitor for excessive connection churn that may indicate exploitation attempts.

Generated by OpenCVE AI on June 30, 2026 at 17:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 30 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
Description Improper Input Validation vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Stomp. A remote unauthenticated peer that can reach an exposed STOMP connector can trigger denial-of-service behavior by sending a negative content-length. For the NIO STOMP transport, an attacker can keep streaming body bytes and grow the per-connection command buffer beyond configured limits to cause OOM. For the blocking STOMP protocol, an error will instead force abnormal transport exception handling for the affected connection and closure. This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ Stomp: before 5.19.8, from 6.0.0 before 6.2.7. Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.
Title Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Stomp: STOMP negative content-length enables denial of service
Weaknesses CWE-20
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-30T15:55:36.075Z

Reserved: 2026-05-29T20:35:56.881Z

Link: CVE-2026-49432

cve-icon Vulnrichment

Updated: 2026-06-30T11:06:04.962Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T11:30:04Z

Weaknesses
  • CWE-20

    Improper Input Validation