CVE-2026-49432
Received Received - Intake

Denial of Service in Apache ActiveMQ

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: Apache Software Foundation

Description
Improper Input Validation vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Stomp. A remote unauthenticated peer that can reach an exposed STOMP connector can trigger denial-of-service behavior by sending a negative content-length. For the NIO STOMP transport, an attacker can keep streaming body bytes and grow the per-connection command buffer beyond configured limits to cause OOM. For the blocking STOMP protocol, an error will instead force abnormal transport exception handling for the affected connection and closure. This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ Stomp: before 5.19.8, from 6.0.0 before 6.2.7. Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-06-30
AI Q&A
2026-06-30
EPSS Evaluated
N/A
NVD
CVE-2026-49432
EUVD
EUVD-2026-40284

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
apache activemq to 6.2.7 (exc)
apache activemq_all to 6.2.7 (exc)
apache activemq_stomp to 6.2.7 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an Improper Input Validation issue in Apache ActiveMQ and its related components. A remote unauthenticated attacker who can access an exposed STOMP connector can exploit this by sending a negative content-length value. This can trigger denial-of-service behavior.

Specifically, for the NIO STOMP transport, the attacker can continuously stream body bytes, causing the per-connection command buffer to grow beyond its configured limits, which can lead to an out-of-memory (OOM) condition. For the blocking STOMP protocol, the attack causes abnormal transport exception handling and forces the affected connection to close.

Detection Guidance

This vulnerability can be detected by monitoring network traffic for STOMP protocol messages that contain a negative content-length header value, which is abnormal and indicative of an attack attempt.

You can use network packet capture tools such as tcpdump or Wireshark to filter and inspect STOMP messages for negative content-length values.

  • Example tcpdump command to capture STOMP traffic on port 61613 (default STOMP port): tcpdump -i <interface> -A 'tcp port 61613'
  • Within the captured data, look for lines containing 'content-length:' followed by a negative number.

Additionally, monitoring the Apache ActiveMQ logs for abnormal transport exceptions or connection closures related to STOMP connections may help detect exploitation attempts.

Impact Analysis

The primary impact of this vulnerability is denial-of-service (DoS). An attacker can cause the affected Apache ActiveMQ service to consume excessive memory resources or force connection closures, disrupting normal messaging operations.

This can lead to service unavailability or degraded performance, potentially affecting applications and systems that rely on Apache ActiveMQ for message brokering.

Mitigation Strategies

Users are recommended to upgrade Apache ActiveMQ to version 6.2.7 or 5.19.8, which fixes the issue.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49432. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart