Apache ActiveMQ and Artemis Flaws Enable Security Bypass and Multiple Attacks
German authorities issued advisories for Apache ActiveMQ Artemis and Apache ActiveMQ Classic components after disclosing vulnerabilities that affect the broker, client, and web interfaces. One advisory warns that a flaw in Apache ActiveMQ Artemis can allow attackers to bypass security measures, raising the risk of unauthorized access or actions within affected messaging environments.
A separate advisory reports multiple vulnerabilities in Apache ActiveMQ across the Client, Broker, and Web components, indicating broader exposure for organizations using the messaging platform in enterprise integrations and application back ends. The notices identify the affected Apache messaging products as requiring prompt review and remediation to reduce the risk of compromise in systems that rely on ActiveMQ services.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
dCERT publishes advisory on multiple Apache ActiveMQ vulnerabilities
dCERT issued Advisory 2026-1234 for Apache ActiveMQ covering multiple vulnerabilities. It was published as a new security notice separate from the earlier Apache ActiveMQ advisories already recorded.
dCERT publishes advisory on multiple Apache ActiveMQ vulnerabilities
dCERT issued Advisory 2026-1018 for Apache ActiveMQ covering multiple vulnerabilities. The advisory was published as a new security notice separate from earlier Apache ActiveMQ advisories.
dCERT publishes advisory on multiple Apache ActiveMQ vulnerabilities
dCERT issued Advisory 2026-0972 covering multiple vulnerabilities affecting Apache ActiveMQ Client, Broker, and Web components.
dCERT publishes advisory on Apache ActiveMQ Artemis security bypass flaw
dCERT issued Advisory 2026-0799 for Apache ActiveMQ Artemis describing a vulnerability that allows bypassing security measures.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
dCERT - Advisory 2026-1234 - Apache ActiveMQ: Multiple Vulnerabilities
dcert.de
Open sourcedCERT - Advisory 2026-1018 - Apache ActiveMQ: Multiple Vulnerabilities
dcert.de
Open sourcedCERT - Advisory 2026-0972 - Apache ActiveMQ, Client, Broker, and Web: Multiple Vulnerabilities
dcert.de
Open sourcedCERT - Advisory 2026-0799 - Apache ActiveMQ Artemis: Vulnerability allows bypassing security measures
dcert.de
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Apache ActiveMQ Flaws Enable Path Traversal and TLS DoS
Apache disclosed two vulnerabilities affecting multiple **ActiveMQ** components, including Client, Broker, and bundled distributions. **CVE-2026-33227** is a low-severity pathname restriction flaw that lets an authenticated user manipulate a supplied `key` value to traverse the classpath in two cases: when creating a **STOMP** consumer and when browsing messages through the web console. Apache warned the issue could expose classpath resource loading and potentially be chained with another attack. The flaw affects the 5.x branch before **5.19.3** and the 6.x branch from **6.0.0** before **6.2.2**, but Apache said those initial fixes were incomplete on Windows because of path separator handling, and recommended upgrading instead to **5.19.4** or **6.2.3**. Apache also published **CVE-2026-39304**, an important denial-of-service flaw in ActiveMQ's **NIO SSL transports** caused by incorrect handling of **TLS 1.3 `KeyUpdate`** messages. A client can repeatedly trigger updates and exhaust broker memory in the SSL engine, causing out-of-memory crashes and service disruption. Apache added that related handshake handling is also broken for earlier TLS versions such as **TLS 1.2**, though those cases lead to hung connections rather than memory exhaustion. The DoS issue affects the 5.x branch before **5.19.4** and the 6.x branch from **6.0.0** before **6.2.4**; users are advised to upgrade to **5.19.5** or **6.2.4**.
Apr 9, 2026
Authentication Bypass in Apache Artemis Core Downstream Federation (CVE-2026-27446)
**CVE-2026-27446** is a critical *missing authentication for a critical function* (CWE-306) in **Apache Artemis** and **Apache ActiveMQ Artemis** that enables an unauthenticated remote attacker to abuse the **Core protocol** to force a target broker to establish an outbound Core downstream federation connection to an attacker-controlled rogue broker. If successful, the attacker can **inject arbitrary messages into any queue** and/or **exfiltrate messages from any queue** via the rogue broker, particularly in environments that allow **incoming Core protocol connections from untrusted sources** and **outgoing Core protocol connections to untrusted destinations**. Impacted versions include **Apache Artemis 2.50.0–2.51.0** and **Apache ActiveMQ Artemis 2.11.0–2.44.0**; upgrading to **Apache Artemis 2.52.0** is recommended to remediate. Mitigations include removing Core protocol support from untrusted-facing acceptors (notably the default `artemis` acceptor on port `61616` if configured to allow Core) or enforcing **two-way TLS (mTLS)** to require certificate-based client authentication before protocol negotiation. The Centre for Cybersecurity Belgium highlighted the high severity (reported as **CVSS 9.3**) and noted no vendor warning of active exploitation as of early March 2026, while emphasizing that **ActiveMQ-family products have been repeatedly targeted historically** for follow-on activity such as ransomware deployment.
Mar 21, 2026
Apache ActiveMQ Jolokia Flaws Enable Authenticated Remote Code Execution
Apache ActiveMQ disclosed multiple related vulnerabilities in its Classic broker components that allow authenticated remote code execution through the Jolokia JMX-HTTP bridge exposed on the web console at `/api/jolokia/`. The flaws let an attacker invoke MBean methods such as `BrokerService.addNetworkConnector(String)` and `BrokerService.addConnector(String)` with crafted discovery URIs, abusing the VM transport `brokerConfig` parameter to load a remote Spring XML application context and execute arbitrary code in the broker JVM. Apache identified CVE-2026-42588 as the original issue and CVE-2026-45505 as a bypass of the earlier fix for CVE-2026-34197, caused by improper validation of non-parenthesized discovery wrappers including `masterslave:vm://...,...` and `static:vm://...`. The affected products are Apache ActiveMQ Broker, Apache ActiveMQ All, and Apache ActiveMQ versions before `5.19.7` and `6.0.0` through before `6.2.6`; Apache advises upgrading to `5.19.7` or `6.2.6` to remediate the exposure.
Jun 1, 2026