CVE-2026-42588
Received Received - Intake
Code Injection in Apache ActiveMQ

Publication date: 2026-06-01

Last updated on: 2026-06-01

Assigner: Apache Software Foundation

Description
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String). An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter using the "masterslave:// " URL which can allow loading aΒ Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6. Users are recommended to upgrade to version 5.19.7 or 6.2.6, which fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-01
Generated
2026-06-01
AI Q&A
2026-06-01
EPSS Evaluated
N/A
NVD
CVE-2026-42588
EUVD
EUVD-2026-33577
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
apache activemq_broker From 6.0.0 (inc) to 6.2.6 (exc)
apache activemq_all From 6.0.0 (inc) to 6.2.6 (exc)
apache activemq From 6.0.0 (inc) to 6.2.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-42588 is a vulnerability in Apache ActiveMQ Broker and related packages that allows an authenticated attacker to execute arbitrary code on the broker's JVM.

The issue arises because the Jolokia JMX-HTTP bridge exposed at /api/jolokia/ on the web console permits exec operations on all ActiveMQ MBeans, including BrokerService.addNetworkConnector(String).

An attacker can exploit this by sending a crafted discovery URI that triggers the VM transport's brokerConfig parameter using a "masterslave://" URL, which loads a Spring XML application context via ResourceXmlApplicationContext.

Since Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, this leads to arbitrary code execution through bean factory methods such as Runtime.exec().

This vulnerability affects Apache ActiveMQ versions before 5.19.7 and from 6.0.0 before 6.2.6.

Users are recommended to upgrade to version 5.19.7 or 6.2.6 to fix this issue.


How can this vulnerability impact me? :

This vulnerability can allow an authenticated attacker to execute arbitrary code on the Apache ActiveMQ broker's JVM.

Such arbitrary code execution can lead to full compromise of the broker service, potentially allowing the attacker to manipulate messaging operations, disrupt service availability, or use the broker as a pivot point for further attacks within the network.

Because the exploit involves executing code via the Spring XML application context, it can be used to run any commands or payloads that the attacker chooses, leading to severe security risks.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves the Jolokia JMX-HTTP bridge exposed at /api/jolokia/ on the Apache ActiveMQ web console, which permits exec operations on all ActiveMQ MBeans including BrokerService.addNetworkConnector(String).

To detect this vulnerability, you can check if your Apache ActiveMQ instance exposes the Jolokia endpoint at /api/jolokia/ and whether the default Jolokia access policy is in place allowing exec operations.

You may use HTTP requests or tools like curl to test access to the Jolokia endpoint and attempt to invoke MBean operations requiring authentication.

  • curl -u <username>:<password> http://<activemq-host>:<port>/api/jolokia/
  • curl -u <username>:<password> -H 'Content-Type: application/json' -d '{"type":"exec","mbean":"org.apache.activemq:type=Broker,brokerName=localhost","operation":"addNetworkConnector","arguments":["masterslave://..."]}' http://<activemq-host>:<port>/api/jolokia/

If these commands succeed in invoking exec operations on MBeans, your system is vulnerable.


What immediate steps should I take to mitigate this vulnerability?

The primary mitigation step is to upgrade Apache ActiveMQ to version 5.19.7 or 6.2.6 or later, where this vulnerability is fixed.

Additionally, restrict access to the Jolokia JMX-HTTP bridge endpoint (/api/jolokia/) by enforcing strong authentication and limiting network exposure.

Review and tighten Jolokia access policies to prevent exec operations on ActiveMQ MBeans unless absolutely necessary.

Monitor and audit usage of Jolokia endpoints to detect any unauthorized or suspicious activity.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart