Description
Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All.

Following the fix for CVE-2026-49270 an unauthenticated attacker can now cause broker OOM by sending an repeated BrokerInfo commands without sending a ConnectionInfo, until the broker will crash with OOM.
This issue affects Apache ActiveMQ Broker: from 5.19.7 before 5.19.8, from 6.2.6 before 6.2.7; Apache ActiveMQ: from 5.19.7 before 5.19.8, from 6.2.6 before 6.2.7; Apache ActiveMQ All: from 5.19.7 before 5.19.8, from 6.2.6 before 6.2.7.

Users are recommended to upgrade to version 6.2.7, which fixes the issue.
Published: 2026-06-30
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated attacker can trigger an Out of Memory condition in the broker by repeatedly sending BrokerInfo commands without first establishing a ConnectionInfo. This leads the broker to consume excessive memory and crash, resulting in a denial of service of the messaging service. The weakness is a form of resource exhaustion denial of service flaw.

Affected Systems

The flaw affects Apache ActiveMQ Broker, Apache ActiveMQ, and Apache ActiveMQ All. Vulnerable releases are 5.19.7 prior to 5.19.8 and 6.2.6 prior to 6.2.7.

Risk and Exploitability

Because no authentication is required, the attacker only needs network access to the OpenWire port. Exploitation is straightforward: repeat BrokerInfo packets until the broker runs out of memory. The EPSS score is unavailable and the vulnerability is not listed in the CISA KEV catalog, but the practical impact is high due to the unprivileged nature of the attack and the critical services involved.

Generated by OpenCVE AI on June 30, 2026 at 17:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Apache ActiveMQ version 6.2.7 or later.
  • If an upgrade is not immediately possible, restrict OpenWire traffic to trusted hosts using firewall rules or access control lists.
  • Implement monitoring of broker memory usage and configure alerts to restart the broker when an OOM condition is detected.

Generated by OpenCVE AI on June 30, 2026 at 17:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-768

Tue, 30 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 30 Jun 2026 11:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-768

Tue, 30 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
Description Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All. Following the fix for CVE-2026-49270 an unauthenticated attacker can now cause broker OOM by sending an repeated BrokerInfo commands without sending a ConnectionInfo, until the broker will crash with OOM. This issue affects Apache ActiveMQ Broker: from 5.19.7 before 5.19.8, from 6.2.6 before 6.2.7; Apache ActiveMQ: from 5.19.7 before 5.19.8, from 6.2.6 before 6.2.7; Apache ActiveMQ All: from 5.19.7 before 5.19.8, from 6.2.6 before 6.2.7. Users are recommended to upgrade to version 6.2.7, which fixes the issue.
Title Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All: Pre-authentication OpenWire DoS following fix for CVE-2026-49270
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-30T13:21:45.456Z

Reserved: 2026-06-06T19:20:20.134Z

Link: CVE-2026-50750

cve-icon Vulnrichment

Updated: 2026-06-30T13:20:59.560Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T16:15:06Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption