CVE-2026-33227
Classpath Traversal Vulnerability in Apache ActiveMQ Client and Broker
Publication date: 2026-04-07
Last updated on: 2026-04-20
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | activemq | to 5.19.3 (exc) |
| apache | activemq | From 6.0.0 (inc) to 6.2.2 (exc) |
| apache | activemq_broker | to 5.19.3 (exc) |
| apache | activemq_broker | From 6.0.0 (inc) to 6.2.2 (exc) |
| apache | activemq_web | to 5.19.3 (exc) |
| apache | activemq_web | From 6.0.0 (inc) to 6.2.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33227 is a low-severity vulnerability in multiple Apache ActiveMQ components, including the Client, Broker, All, and Web versions. It occurs due to improper validation and restriction of classpath path names. Specifically, in two scenariosβwhen creating a Stomp consumer and when browsing messages via the Web consoleβan authenticated user can supply a specially crafted "key" value. This crafted value exploits unsafe path concatenation, allowing traversal of the classpath. This classpath traversal vulnerability could be combined with other attacks to further exploit the system.
How can this vulnerability impact me? :
This vulnerability allows an authenticated user to traverse the classpath by supplying a crafted "key" value, which can lead to unauthorized loading of classpath resources. While the vulnerability itself is low severity, it can be chained with other attacks to potentially exploit the system further. This could result in unauthorized access to sensitive resources or execution of unintended code within the affected Apache ActiveMQ components.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the vulnerability CVE-2026-33227 in Apache ActiveMQ components, users are strongly advised to upgrade affected versions to 5.19.4 or 6.2.3. These versions fully fix the issue, including a path separator resolution bug affecting Windows environments.
Versions 5.19.3 and 6.2.2 also address the vulnerability but only for non-Windows platforms due to the path separator bug.
Upgrading to the fixed versions is the recommended immediate step to prevent exploitation of the classpath path traversal vulnerability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves improper validation of classpath path names in Apache ActiveMQ components, exploitable by an authenticated user supplying a crafted "key" value during Stomp consumer creation or message browsing in the Web console.
Detection typically involves verifying the version of Apache ActiveMQ components in use to determine if they fall within the affected versions before 5.19.3 or from 6.0.0 before 6.2.2.
There are no specific commands or network detection signatures provided in the available resources to detect exploitation attempts or presence of this vulnerability.
As a practical step, you can check the installed ActiveMQ version using commands like:
- For Linux systems, check the ActiveMQ version by running: `activemq --version` or inspecting the version in the application logs.
- Alternatively, check the version of the ActiveMQ client or broker libraries in your deployment by inspecting the package manager or build files.
If you are running a vulnerable version, upgrading to 5.19.4 or 6.2.3 is strongly recommended to mitigate the vulnerability.