Back

Critical Vulnerabilities Discovered in Apache ActiveMQ

Severity: High (Score: 72.6)

Sources: cve.org, Nvd.Nist

Published: 2026-06-01 · Updated: 2026-06-01

Keywords: apache, activemq, detail, improper, code, vulnerability, default

Severity indicators: vulnerability, CVE:CVE-2026-45505, CVE:CVE-2026-45505

Summary

Two significant vulnerabilities have been identified in Apache ActiveMQ, both published on June 1, 2026. CVE-2026-45505 involves improper input validation leading to arbitrary code execution via crafted discovery URIs, affecting versions before 5.19.7 and from 6.0.0 before 6.2.6. CVE-2026-49157 reveals incorrect default permissions that allow low-privilege accounts to execute admin-level broker management operations. Both vulnerabilities impact the Jolokia JMX-HTTP bridge, which is accessible on the web console. Users are advised to upgrade to versions 5.19.7 or 6.2.6 to mitigate these risks. The vulnerabilities pose a serious threat to organizations using affected versions of Apache ActiveMQ, especially those with web-accessible configurations. Key Points: • CVE-2026-45505 allows arbitrary code execution through crafted URIs in ActiveMQ. • CVE-2026-49157 grants low-privilege accounts access to admin-level operations. • Users must upgrade to versions 5.19.7 or 6.2.6 to address these vulnerabilities.

Detailed Analysis

**Impact** Organizations using Apache ActiveMQ Broker versions before 5.19.7 and from 6.0.0 before 6.2.6 are affected globally. The vulnerabilities enable unauthorized code execution and unauthorized broker management operations, potentially disrupting messaging services critical to enterprise operations. This can lead to service outages, unauthorized queue manipulation, and compromise of the broker’s JVM environment. No specific sectors or data types are detailed in the source articles. **Technical Details** Two vulnerabilities are exploited: CVE-2026-45505 allows authenticated attackers to execute arbitrary code via crafted discovery URIs exploiting the Jolokia JMX-HTTP bridge and Spring XML application context loading; CVE-2026-49157 permits low-privilege web-login accounts to perform administrative broker operations due to incorrect default Jolokia permissions. The attack vector involves authenticated access to the Jolokia endpoint on the web console. No malware or IOCs are provided. **Recommended Response** Apply Apache ActiveMQ updates to versions 5.19.7 or 6.2.6 immediately to remediate both vulnerabilities. Harden Jolokia access policies by restricting permissions to admin-level accounts only. Monitor Jolokia endpoint access logs for unusual or unauthorized operations. No additional IOCs or detection signatures are specified in the source articles.

Source articles (4)

  • CVE-2026-45505 Detail — Nvd.Nist · 2026-06-01
    Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. Non-parenthesized discovery wrappers…
  • CVE-2026-49157 Detail — Nvd.Nist · 2026-06-01
    Incorrect Default Permissions vulnerability in Apache ActiveMQ. This issue affects Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6. The default Jolokia authorization settings granted non-admin…
  • CVE-2026-45505 — cve.org · 2026-06-01
  • CVE-2026-49157 — cve.org · 2026-06-01

Timeline

  • 2026-04-07 — CVE-2026-34197 published: A vulnerability in Apache ActiveMQ was disclosed, leading to security concerns.
  • 2026-04-08 — First public PoC for CVE-2026-34197: A proof of concept was publicly released, demonstrating the exploitability of the vulnerability.
  • 2026-04-16 — CVE-2026-34197 added to CISA KEV: CISA confirmed active exploitation of CVE-2026-34197, urging immediate attention.
  • 2026-06-01 — CVE-2026-45505 published: A critical vulnerability in Apache ActiveMQ was disclosed, allowing code execution via crafted URIs.
  • 2026-06-01 — CVE-2026-49157 published: Another vulnerability in Apache ActiveMQ was disclosed, affecting default permissions for low-privilege accounts.

CVEs

  • CVE-2026-34197
  • CVE-2026-45505
  • CVE-2026-49157

Related entities

  • Zero-day Exploit (Attack Type)
  • Code Injection (Attack Type)
  • CWE-269 - Improper Privilege Management (Cwe)
  • CWE-94 - Code Injection (Cwe)
  • T1059 - Command and Scripting Interpreter (Mitre Attack)
  • Apache ActiveMQ (Platform)
  • Jolokia (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed