CVE-2026-45505
Code Injection in Apache ActiveMQ
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | activemq_broker | From 6.0.0 (inc) to 6.2.6 (exc) |
| apache | activemq_all | From 6.0.0 (inc) to 6.2.6 (exc) |
| apache | activemq | From 6.0.0 (inc) to 6.2.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows authenticated attackers to execute arbitrary code on the Apache ActiveMQ broker's JVM, potentially leading to unauthorized access, data manipulation, or service disruption.
Such unauthorized access and potential data breaches could impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and secure system operations.
Additionally, this CVE is listed in CISA's Known Exploited Vulnerabilities Catalog, mandating federal agencies to apply mitigations by a specific deadline, reflecting its significance in regulatory compliance contexts.
Failure to remediate this vulnerability could result in non-compliance with security requirements of these regulations, increasing legal and operational risks.
Can you explain this vulnerability to me?
This vulnerability is an Improper Input Validation and Code Injection issue in Apache ActiveMQ Broker and related products. It occurs because the Jolokia JMX-HTTP bridge exposed at /api/jolokia/ on the web console allows authenticated attackers to execute certain operations on ActiveMQ MBeans, such as adding network connectors or connectors.
An attacker can craft a malicious discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Since Spring initializes all singleton beans before the BrokerService validates the configuration, this leads to arbitrary code execution on the broker's JVM through methods like Runtime.exec().
This issue affects Apache ActiveMQ Broker versions before 5.19.7 and from 6.0.0 before 6.2.6, as well as Apache ActiveMQ All and Apache ActiveMQ with the same version ranges. Users are advised to upgrade to versions 5.19.7 or 6.2.6 to fix the vulnerability.
How can this vulnerability impact me? :
This vulnerability allows an authenticated attacker to execute arbitrary code on the Apache ActiveMQ broker's JVM. This can lead to full compromise of the broker service, allowing the attacker to run malicious commands or code remotely.
Such code execution can disrupt messaging services, lead to data breaches, unauthorized access, or further lateral movement within the affected environment.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the Jolokia JMX-HTTP bridge exposed at /api/jolokia/ on the Apache ActiveMQ web console, which allows authenticated attackers to execute certain MBean operations. Detection can focus on monitoring access to this endpoint and checking for suspicious usage of BrokerService.addNetworkConnector or BrokerService.addConnector operations with crafted discovery URIs.
Commands to detect exploitation attempts might include inspecting web server logs or ActiveMQ logs for requests to /api/jolokia/ that invoke these operations. Additionally, network monitoring tools can be used to detect unusual HTTP POST requests to /api/jolokia/ containing suspicious payloads referencing VM transport brokerConfig parameters or remote Spring XML application contexts.
Specific commands depend on your environment, but examples include:
- Using curl or similar tools to test access: curl -u <user>:<password> -X POST http://<activemq-host>:<port>/api/jolokia/ -d '{"type":"exec","mbean":"org.apache.activemq:type=Broker,brokerName=localhost","operation":"addNetworkConnector","arguments":["masterslave:vm://..."]}'
- Searching logs for suspicious Jolokia exec operations: grep '/api/jolokia/' /var/log/activemq/activemq.log | grep 'addNetworkConnector'
- Monitoring network traffic for POST requests to /api/jolokia/ with suspicious payloads using tools like Wireshark or Zeek.
What immediate steps should I take to mitigate this vulnerability?
The primary recommended mitigation is to upgrade Apache ActiveMQ to a fixed version that addresses this vulnerability.
- Upgrade Apache ActiveMQ Broker or Apache ActiveMQ to version 5.19.7 or later, or 6.2.6 or later, which include the fix for this issue.
- Restrict access to the Jolokia JMX-HTTP bridge endpoint (/api/jolokia/) to trusted and authenticated users only.
- Review and tighten Jolokia access policies to limit exec operations on ActiveMQ MBeans.
- Monitor logs and network traffic for suspicious activity targeting the Jolokia endpoint.