{"schema_version":"1.7.2","id":"OESA-2026-2125","modified":"2026-05-03T09:55:25Z","published":"2026-05-03T09:55:25Z","upstream":["CVE-2026-33227","CVE-2026-34197","CVE-2026-39304","CVE-2026-40046","CVE-2026-40466","CVE-2026-41043","CVE-2026-41044"],"summary":"activemq security update","details":"The most popular and powerful open source messaging and Integration Patterns server.\r\n\r\nSecurity Fix(es):\n\n['Severity: low \\n\\nAffected versions:\\n\\n- Apache ActiveMQ Client (org.apache.activemq:activemq-client) before 5.19.3\\n- Apache ActiveMQ Client (org.apache.activemq:activemq-client) 6.0.0 before 6.2.2\\n- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) before 5.19.3\\n- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 6.0.0 before 6.2.2\\n- Apache ActiveMQ (org.apache.activemq:activemq-all) before 5.19.3\\n- Apache ActiveMQ (org.apache.activemq:activemq-all) 6.0.0 before 6.2.2\\n- Apache ActiveMQ Web (org.apache.activemq:activemq-web) before 5.19.3\\n- Apache ActiveMQ Web (org.apache.activemq:activemq-web) 6.0.0 before 6.2.2\\n\\nDescription:\\n\\nImproper validation and restriction of a classpath path name vulnerability in Apache ActiveMQ Client, Apache ActiveMQ \\nBroker, Apache ActiveMQ All.\\n\\nIn two instances (when creating a Stomp consumer and also browsing messages in the Web console) an authenticated user \\nprovided "key" value could be constructed to traverse the classpath due to path concatenation. As a result, the \\napplication is exposed to a classpath path resource loading vulnerability that could potentially be chained together \\nwith another attack to lead to exploit.This issue affects Apache ActiveMQ Client: before 5.19.3, from 6.0.0 before \\n6.2.2; Apache ActiveMQ Broker: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ All: before 5.19.3, from 6.0.0 \\nbefore 6.2.2.\\n\\nUsers are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue. Note: 5.19.3 and 6.2.2 also fix \\nthis issue, but that is limited to non-Windows environments due to a path separator resolution bug fixed in 5.19.4 and \\n6.2.3.\\n\\nCredit:\\n\\nDawei Wang (finder)\\n\\nReferences:'](CVE-2026-33227)\n\n["Severity: important \\n\\nAffected versions:\\n\\n- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) before 5.19.4\\n- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 6.0.0 before 6.2.3\\n- Apache ActiveMQ (org.apache.activemq:activemq-all) before 5.19.4\\n- Apache ActiveMQ (org.apache.activemq:activemq-all) 6.0.0 before 6.2.3\\n\\nDescription:\\n\\nImproper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ \\nBroker, Apache ActiveMQ.\\n\\nApache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at\\xa0/api/jolokia/ on the web console. The default Jolokia \\naccess policy permits\\xa0exec operations on all ActiveMQ\\xa0MBeans (org.apache.activemq:*), including\\nBrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). \\n\\nAn authenticated attacker can\\xa0invoke these operations with a crafted discovery URI that triggers the VM\\xa0transport's \\nbrokerConfig parameter to load a remote Spring XML application\\xa0context using ResourceXmlApplicationContext. \\nBecause Spring's\\xa0ResourceXmlApplicationContext instantiates all singleton beans before the\\xa0BrokerService validates the \\nconfiguration, arbitrary code execution occurs\\xa0on the broker's JVM through bean factory methods such as Runtime.exec().\\nThis issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: .\\n\\nUsers are recommended to upgrade to version 5.19.5 or 6.2.3, which fixes the issue.\\n\\nCredit:\\n\\nNaveen Sunkavally (Horizon3.ai) (finder)\\n\\nReferences:"](CVE-2026-34197)\n\nDenial of Service via Out of Memory vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ.\n\nActiveMQ NIO SSL transports do not correctly handle TLSv1.3 handshake KeyUpdates triggered by clients. This makes it possible for a client to rapidly trigger updates which causes the broker to exhaust all its memory in the SSL engine leading to DoS.\n\nNote: TLS versions before TLSv1.3 (such as TLSv1.2) are broken but are not vulnerable to OOM. Previous TLS versions require a full handshake renegotiation which causes a connection to hang but not OOM. This is fixed as well.\nThis issue affects Apache ActiveMQ Client: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.4.\n\nUsers are recommended to upgrade to version 6.2.4 or 5.19.5, which fixes the issue.(CVE-2026-39304)\n\nInteger Overflow or Wraparound vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ MQTT. The fix for "CVE-2025-66168: MQTT control packet remaining length field is not properly validated" was only applied to 5.19.2 (and future 5.19.x) releases but was missed for all 6.0.0+ versions. This issue affects Apache ActiveMQ: from 6.0.0 before 6.2.4; Apache ActiveMQ All: from 6.0.0 before 6.2.4; Apache ActiveMQ MQTT: from 6.0.0 before 6.2.4. Users are recommended to upgrade to version 6.2.4 or a 5.19.x version starting with 5.19.2 or later (currently latest is 5.19.5), which fixes the issue.(CVE-2026-40046)\n\nA vulnerability, which was classified as problematic, has been found in Apache ActiveMQ up to 5.19.5/6.2.4 (Application Server Software).Impacted is integrity.Upgrading to version 5.19.6 or 6.2.5 eliminates this vulnerability.(CVE-2026-40466)\n\nImproper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache ActiveMQ, Apache ActiveMQ Web.\n\nAn authenticated attacker can show malicious content when browsing queues in the web console by overriding the content type to be HTML (instead of XML) and by injecting HTML into a JMS selector field.\n\nThis issue affects Apache ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ Web: before 5.19.6, from 6.0.0 before 6.2.5.\n\nUsers are recommended to upgrade to version 6.2.5 or 5.19.6, which fixes the issue.(CVE-2026-41043)\n\nA vulnerability has been found in Apache ActiveMQ up to 5.19.5/6.2.4 and classified as problematic. As an impact it is known to affect confidentiality, integrity, and availability. Upgrading to version 5.19.6 or 6.2.5 eliminates this vulnerability.(CVE-2026-41044)","affected":[{"package":{"ecosystem":"openEuler:24.03-LTS","name":"activemq","purl":"pkg:rpm/openEuler/activemq&distro=openEuler-24.03-LTS"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.19.6-1.oe2403"}]}],"ecosystem_specific":{"noarch":["activemq-5.19.6-1.oe2403.noarch.rpm","activemq-javadoc-5.19.6-1.oe2403.noarch.rpm"],"src":["activemq-5.19.6-1.oe2403.src.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2125"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33227"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34197"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-39304"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40046"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40466"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41043"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41044"}],"database_specific":{"severity":"High"}}