CVE-2026-33227
Received Received - Intake
Classpath Traversal Vulnerability in Apache ActiveMQ Client and Broker

Publication date: 2026-04-07

Last updated on: 2026-04-20

Assigner: Apache Software Foundation

Description
Improper validation and restriction of a classpath path name vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ Web, Apache ActiveMQ. In two instances (when creating a Stomp consumer and also browsing messages in the Web console) an authenticated user provided "key" value could be constructed to traverse the classpath due to path concatenation. As a result, the application is exposed to a classpath path resource loading vulnerability that could potentially be chained together with another attack to lead to exploit. This issue affects Apache ActiveMQ Client: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ Broker: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ All: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ Web: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ: before 5.19.3, from 6.0.0 before 6.2.2. Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue. Note: 5.19.3 and 6.2.2 also fix this issue, but that is limited to non-Windows environments due to a path separator resolution bug fixed in 5.19.4 and 6.2.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-20
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33227
EUVD
EUVD-2026-19586
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
apache activemq to 5.19.3 (exc)
apache activemq From 6.0.0 (inc) to 6.2.2 (exc)
apache activemq_broker to 5.19.3 (exc)
apache activemq_broker From 6.0.0 (inc) to 6.2.2 (exc)
apache activemq_web to 5.19.3 (exc)
apache activemq_web From 6.0.0 (inc) to 6.2.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33227 is a low-severity vulnerability in multiple Apache ActiveMQ components, including the Client, Broker, All, and Web versions. It occurs due to improper validation and restriction of classpath path names. Specifically, in two scenariosβ€”when creating a Stomp consumer and when browsing messages via the Web consoleβ€”an authenticated user can supply a specially crafted "key" value. This crafted value exploits unsafe path concatenation, allowing traversal of the classpath. This classpath traversal vulnerability could be combined with other attacks to further exploit the system.

Impact Analysis

This vulnerability allows an authenticated user to traverse the classpath by supplying a crafted "key" value, which can lead to unauthorized loading of classpath resources. While the vulnerability itself is low severity, it can be chained with other attacks to potentially exploit the system further. This could result in unauthorized access to sensitive resources or execution of unintended code within the affected Apache ActiveMQ components.

Mitigation Strategies

To mitigate the vulnerability CVE-2026-33227 in Apache ActiveMQ components, users are strongly advised to upgrade affected versions to 5.19.4 or 6.2.3. These versions fully fix the issue, including a path separator resolution bug affecting Windows environments.

Versions 5.19.3 and 6.2.2 also address the vulnerability but only for non-Windows platforms due to the path separator bug.

Upgrading to the fixed versions is the recommended immediate step to prevent exploitation of the classpath path traversal vulnerability.

Detection Guidance

This vulnerability involves improper validation of classpath path names in Apache ActiveMQ components, exploitable by an authenticated user supplying a crafted "key" value during Stomp consumer creation or message browsing in the Web console.

Detection typically involves verifying the version of Apache ActiveMQ components in use to determine if they fall within the affected versions before 5.19.3 or from 6.0.0 before 6.2.2.

There are no specific commands or network detection signatures provided in the available resources to detect exploitation attempts or presence of this vulnerability.

As a practical step, you can check the installed ActiveMQ version using commands like:

  • For Linux systems, check the ActiveMQ version by running: `activemq --version` or inspecting the version in the application logs.
  • Alternatively, check the version of the ActiveMQ client or broker libraries in your deployment by inspecting the package manager or build files.

If you are running a vulnerable version, upgrading to 5.19.4 or 6.2.3 is strongly recommended to mitigate the vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33227. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart