CVE-2026-42588
Analyzed Analyzed - Analysis Complete
Code Injection in Apache ActiveMQ

Publication date: 2026-06-01

Last updated on: 2026-06-01

Assigner: Apache Software Foundation

Description
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String). An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter using the "masterslave:// " URL which can allow loading aΒ Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6. Users are recommended to upgrade to version 5.19.7 or 6.2.6, which fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-01
Generated
2026-06-21
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-42588
EUVD
EUVD-2026-33577
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
apache activemq to 5.19.7 (exc)
apache activemq From 6.0.0 (inc) to 6.2.6 (exc)
apache activemq_broker to 5.19.7 (exc)
apache activemq_broker From 6.0.0 (inc) to 6.2.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-42588 is a vulnerability in Apache ActiveMQ Broker and related packages that allows an authenticated attacker to execute arbitrary code on the broker's JVM.

The issue arises because the Jolokia JMX-HTTP bridge exposed at /api/jolokia/ on the web console permits exec operations on all ActiveMQ MBeans, including BrokerService.addNetworkConnector(String).

An attacker can exploit this by sending a crafted discovery URI that triggers the VM transport's brokerConfig parameter using a "masterslave://" URL, which loads a Spring XML application context via ResourceXmlApplicationContext.

Since Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, this leads to arbitrary code execution through bean factory methods such as Runtime.exec().

This vulnerability affects Apache ActiveMQ versions before 5.19.7 and from 6.0.0 before 6.2.6.

Users are recommended to upgrade to version 5.19.7 or 6.2.6 to fix this issue.

Impact Analysis

This vulnerability can allow an authenticated attacker to execute arbitrary code on the Apache ActiveMQ broker's JVM.

Such arbitrary code execution can lead to full compromise of the broker service, potentially allowing the attacker to manipulate messaging operations, disrupt service availability, or use the broker as a pivot point for further attacks within the network.

Because the exploit involves executing code via the Spring XML application context, it can be used to run any commands or payloads that the attacker chooses, leading to severe security risks.

Detection Guidance

This vulnerability involves the Jolokia JMX-HTTP bridge exposed at /api/jolokia/ on the Apache ActiveMQ web console, which permits exec operations on all ActiveMQ MBeans including BrokerService.addNetworkConnector(String).

To detect this vulnerability, you can check if your Apache ActiveMQ instance exposes the Jolokia endpoint at /api/jolokia/ and whether the default Jolokia access policy is in place allowing exec operations.

You may use HTTP requests or tools like curl to test access to the Jolokia endpoint and attempt to invoke MBean operations requiring authentication.

  • curl -u <username>:<password> http://<activemq-host>:<port>/api/jolokia/
  • curl -u <username>:<password> -H 'Content-Type: application/json' -d '{"type":"exec","mbean":"org.apache.activemq:type=Broker,brokerName=localhost","operation":"addNetworkConnector","arguments":["masterslave://..."]}' http://<activemq-host>:<port>/api/jolokia/

If these commands succeed in invoking exec operations on MBeans, your system is vulnerable.

Mitigation Strategies

The primary mitigation step is to upgrade Apache ActiveMQ to version 5.19.7 or 6.2.6 or later, where this vulnerability is fixed.

Additionally, restrict access to the Jolokia JMX-HTTP bridge endpoint (/api/jolokia/) by enforcing strong authentication and limiting network exposure.

Review and tighten Jolokia access policies to prevent exec operations on ActiveMQ MBeans unless absolutely necessary.

Monitor and audit usage of Jolokia endpoints to detect any unauthorized or suspicious activity.

Compliance Impact

The provided information does not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42588. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart