CVE-2026-45505
Analyzed Analyzed - Analysis Complete
Code Injection in Apache ActiveMQ

Publication date: 2026-06-01

Last updated on: 2026-06-01

Assigner: Apache Software Foundation

Description
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. Non-parenthesized discovery wrappers such as `masterslave:vm://...,...` and `static:vm://...` incorrectly pass validation allowing bypass of fix inΒ CVE-2026-34197.Β  Original description fromΒ CVE-2026-34197. Apache ActiveMQ exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String).Β An authenticated attacker can invoke these operations with a crafted discovery UR that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6. Users are recommended to upgrade to version 5.19.7 or 6.2.6, which fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-01
Generated
2026-06-21
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-45505
EUVD
EUVD-2026-33576
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
apache activemq to 5.19.7 (exc)
apache activemq From 6.0.0 (inc) to 6.2.6 (exc)
apache activemq_broker to 5.19.7 (exc)
apache activemq_broker From 6.0.0 (inc) to 6.2.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows authenticated attackers to execute arbitrary code on the Apache ActiveMQ broker's JVM, potentially leading to unauthorized access, data manipulation, or service disruption.

Such unauthorized access and potential data breaches could impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and secure system operations.

Additionally, this CVE is listed in CISA's Known Exploited Vulnerabilities Catalog, mandating federal agencies to apply mitigations by a specific deadline, reflecting its significance in regulatory compliance contexts.

Failure to remediate this vulnerability could result in non-compliance with security requirements of these regulations, increasing legal and operational risks.

Executive Summary

This vulnerability is an Improper Input Validation and Code Injection issue in Apache ActiveMQ Broker and related products. It occurs because the Jolokia JMX-HTTP bridge exposed at /api/jolokia/ on the web console allows authenticated attackers to execute certain operations on ActiveMQ MBeans, such as adding network connectors or connectors.

An attacker can craft a malicious discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Since Spring initializes all singleton beans before the BrokerService validates the configuration, this leads to arbitrary code execution on the broker's JVM through methods like Runtime.exec().

This issue affects Apache ActiveMQ Broker versions before 5.19.7 and from 6.0.0 before 6.2.6, as well as Apache ActiveMQ All and Apache ActiveMQ with the same version ranges. Users are advised to upgrade to versions 5.19.7 or 6.2.6 to fix the vulnerability.

Impact Analysis

This vulnerability allows an authenticated attacker to execute arbitrary code on the Apache ActiveMQ broker's JVM. This can lead to full compromise of the broker service, allowing the attacker to run malicious commands or code remotely.

Such code execution can disrupt messaging services, lead to data breaches, unauthorized access, or further lateral movement within the affected environment.

Detection Guidance

This vulnerability involves the Jolokia JMX-HTTP bridge exposed at /api/jolokia/ on the Apache ActiveMQ web console, which allows authenticated attackers to execute certain MBean operations. Detection can focus on monitoring access to this endpoint and checking for suspicious usage of BrokerService.addNetworkConnector or BrokerService.addConnector operations with crafted discovery URIs.

Commands to detect exploitation attempts might include inspecting web server logs or ActiveMQ logs for requests to /api/jolokia/ that invoke these operations. Additionally, network monitoring tools can be used to detect unusual HTTP POST requests to /api/jolokia/ containing suspicious payloads referencing VM transport brokerConfig parameters or remote Spring XML application contexts.

Specific commands depend on your environment, but examples include:

  • Using curl or similar tools to test access: curl -u <user>:<password> -X POST http://<activemq-host>:<port>/api/jolokia/ -d '{"type":"exec","mbean":"org.apache.activemq:type=Broker,brokerName=localhost","operation":"addNetworkConnector","arguments":["masterslave:vm://..."]}'
  • Searching logs for suspicious Jolokia exec operations: grep '/api/jolokia/' /var/log/activemq/activemq.log | grep 'addNetworkConnector'
  • Monitoring network traffic for POST requests to /api/jolokia/ with suspicious payloads using tools like Wireshark or Zeek.
Mitigation Strategies

The primary recommended mitigation is to upgrade Apache ActiveMQ to a fixed version that addresses this vulnerability.

  • Upgrade Apache ActiveMQ Broker or Apache ActiveMQ to version 5.19.7 or later, or 6.2.6 or later, which include the fix for this issue.
  • Restrict access to the Jolokia JMX-HTTP bridge endpoint (/api/jolokia/) to trusted and authenticated users only.
  • Review and tighten Jolokia access policies to limit exec operations on ActiveMQ MBeans.
  • Monitor logs and network traffic for suspicious activity targeting the Jolokia endpoint.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45505. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart