Apache ActiveMQ Flaws Enable Path Traversal and TLS DoS
Apache disclosed two vulnerabilities affecting multiple ActiveMQ components, including Client, Broker, and bundled distributions. CVE-2026-33227 is a low-severity pathname restriction flaw that lets an authenticated user manipulate a supplied key value to traverse the classpath in two cases: when creating a STOMP consumer and when browsing messages through the web console. Apache warned the issue could expose classpath resource loading and potentially be chained with another attack. The flaw affects the 5.x branch before 5.19.3 and the 6.x branch from 6.0.0 before 6.2.2, but Apache said those initial fixes were incomplete on Windows because of path separator handling, and recommended upgrading instead to 5.19.4 or 6.2.3.
Apache also published CVE-2026-39304, an important denial-of-service flaw in ActiveMQ's NIO SSL transports caused by incorrect handling of TLS 1.3 KeyUpdate messages. A client can repeatedly trigger updates and exhaust broker memory in the SSL engine, causing out-of-memory crashes and service disruption. Apache added that related handshake handling is also broken for earlier TLS versions such as TLS 1.2, though those cases lead to hung connections rather than memory exhaustion. The DoS issue affects the 5.x branch before 5.19.4 and the 6.x branch from 6.0.0 before 6.2.4; users are advised to upgrade to 5.19.5 or 6.2.4.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Apache releases upgrade guidance for CVE-2026-39304
Apache said the flaw affects the 5.x branch before 5.19.4 and the 6.x branch from 6.0.0 before 6.2.4, and advised users to upgrade to 5.19.5 or 6.2.4. Apache also noted related TLS handshake handling problems in earlier TLS versions can cause connection hangs rather than out-of-memory conditions.
Apache discloses CVE-2026-39304 ActiveMQ TLS KeyUpdate DoS flaw
Apache disclosed CVE-2026-39304, an important denial-of-service vulnerability in ActiveMQ NIO SSL transports. A client can abuse TLS 1.3 KeyUpdate handling to exhaust broker memory and trigger out-of-memory service disruption.
Apache recommends newer ActiveMQ fixes for CVE-2026-33227
Apache said affected versions include the 5.x branch before 5.19.3 and the 6.x branch from 6.0.0 before 6.2.2, but advised upgrading to 5.19.4 or 6.2.3 because the earlier fixes were incomplete on Windows due to a path separator bug. Dawei Wang was credited with discovering the vulnerability.
Apache discloses CVE-2026-33227 in ActiveMQ
Apache disclosed CVE-2026-33227, a low-severity path traversal-style flaw affecting multiple Apache ActiveMQ components. The issue allows an authenticated user-supplied key value to traverse the classpath in STOMP consumer creation and web console message browsing scenarios.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
oss-sec: CVE-2026-39304: Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Incorrect handling of TLSv1.3 KeyUpdate can be exploited to cause DoS via OOM
seclists.org
Open sourceoss-sec: CVE-2026-33227: Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ Web: Improper Limitation of a Pathname to a Restricted Directory
seclists.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Apache ActiveMQ Jolokia Flaws Enable Authenticated Remote Code Execution
Apache ActiveMQ disclosed multiple related vulnerabilities in its Classic broker components that allow authenticated remote code execution through the Jolokia JMX-HTTP bridge exposed on the web console at `/api/jolokia/`. The flaws let an attacker invoke MBean methods such as `BrokerService.addNetworkConnector(String)` and `BrokerService.addConnector(String)` with crafted discovery URIs, abusing the VM transport `brokerConfig` parameter to load a remote Spring XML application context and execute arbitrary code in the broker JVM. Apache identified CVE-2026-42588 as the original issue and CVE-2026-45505 as a bypass of the earlier fix for CVE-2026-34197, caused by improper validation of non-parenthesized discovery wrappers including `masterslave:vm://...,...` and `static:vm://...`. The affected products are Apache ActiveMQ Broker, Apache ActiveMQ All, and Apache ActiveMQ versions before `5.19.7` and `6.0.0` through before `6.2.6`; Apache advises upgrading to `5.19.7` or `6.2.6` to remediate the exposure.
Jun 1, 2026
Apache ActiveMQ and Artemis Flaws Enable Security Bypass and Multiple Attacks
German authorities issued advisories for **Apache ActiveMQ Artemis** and **Apache ActiveMQ Classic** components after disclosing vulnerabilities that affect the broker, client, and web interfaces. One advisory warns that a flaw in **Apache ActiveMQ Artemis** can allow attackers to **bypass security measures**, raising the risk of unauthorized access or actions within affected messaging environments. A separate advisory reports **multiple vulnerabilities** in **Apache ActiveMQ** across the **Client, Broker, and Web** components, indicating broader exposure for organizations using the messaging platform in enterprise integrations and application back ends. The notices identify the affected Apache messaging products as requiring prompt review and remediation to reduce the risk of compromise in systems that rely on ActiveMQ services.
Apr 24, 2026
Apache ActiveMQ Jolokia Flaws Enable Broker Control and Remote Code Execution
Apache ActiveMQ disclosed two related Jolokia security flaws that let authenticated low-privilege web users perform actions intended for administrators and, in more severe cases, execute arbitrary code on the broker JVM. The first issue, tracked as **`CVE-2026-49157`**, stems from incorrect default Jolokia authorization settings in the web console, allowing non-admin accounts to retain broker-management access and carry out operations such as adding or removing queues. A second flaw, **`CVE-2026-42588`**, allows remote code execution through the Jolokia JMX-HTTP bridge exposed at **`/api/jolokia/`** by invoking MBean `exec` operations such as `BrokerService.addNetworkConnector(String)`. A crafted `masterslave://` discovery URI can abuse the VM transport's `brokerConfig` parameter to load a Spring XML application context via `ResourceXmlApplicationContext`, enabling code execution before configuration validation completes. Both vulnerabilities affect Apache ActiveMQ versions before **`5.19.7`** and versions from **`6.0.0`** before **`6.2.6`**, and Apache has advised users to upgrade to those fixed releases.
Jun 3, 2026