Bug#1136024: activemq: CVE-2026-40466 CVE-2026-39304 CVE-2026-34197 CVE-2026-33227 CVE-2026-41043 CVE-2026-41044

Fri May 8 15:27:32 BST 2026

Source: activemq
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerabilities were published for activemq.

CVE-2026-40466[0]:
| Improper Input Validation, Improper Control of Generation of Code
| ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache
| ActiveMQ All, Apache ActiveMQ.    An authenticated attacker may
| bypass the fix in CVE-2026-34197 by adding a connector using an HTTP
| Discovery transport via BrokerView.addNetworkConnector
| or BrokerView.addConnector through Jolokia if the activemq-http
| module is on the classpath. A malicious HTTP endpoint can return a
| VM transport through the HTTP URI which will bypass the validation
| added in CVE-2026-34197. The attacker can then use the VM
| transport's brokerConfig parameter to load a remote Spring XML
| application context using ResourceXmlApplicationContext. Because
| Spring's ResourceXmlApplicationContext instantiates all singleton
| beans before the BrokerService validates the configuration,
| arbitrary code execution occurs on the broker's JVM through bean
| factory methods such as Runtime.exec().   This issue affects Apache
| ActiveMQ Broker: before 5.19.6, from 6.0.0 before 6.2.5; Apache
| ActiveMQ All: before 5.19.6, from 6.0.0 before 6.2.5; Apache
| ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5.  Users are
| recommended to upgrade to version 5.19.6 or 6.2.5, which fixes the
| issue.

https://www.openwall.com/lists/oss-security/2026/04/23/4

CVE-2026-39304[1]:
| Denial of Service via Out of Memory vulnerability in Apache ActiveMQ
| Client, Apache ActiveMQ Broker, Apache ActiveMQ.  ActiveMQ NIO SSL
| transports do not correctly handle TLSv1.3 handshake KeyUpdates
| triggered by clients. This makes it possible for a client to rapidly
| trigger updates which causes the broker to exhaust all its memory in
| the SSL engine leading to DoS.  Note: TLS versions before TLSv1.3
| (such as TLSv1.2) are broken but are not vulnerable to OOM. Previous
| TLS versions require a full handshake renegotiation which causes a
| connection to hang but not OOM. This is fixed as well. This issue
| affects Apache ActiveMQ Client: before 5.19.4, from 6.0.0 before
| 6.2.4; Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before
| 6.2.4; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.4.
| Users are recommended to upgrade to version 6.2.4 or 5.19.5, which
| fixes the issue.

https://www.openwall.com/lists/oss-security/2026/04/09/17

CVE-2026-34197[2]:
| Improper Input Validation, Improper Control of Generation of Code
| ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache
| ActiveMQ.  Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP
| bridge at /api/jolokia/ on the web console. The default Jolokia
| access policy permits exec operations on all ActiveMQ MBeans
| (org.apache.activemq:*), including
| BrokerService.addNetworkConnector(String) and
| BrokerService.addConnector(String).  An authenticated attacker can
| invoke these operations with a crafted discovery URI that triggers
| the VM transport's brokerConfig parameter to load a remote Spring
| XML application context using ResourceXmlApplicationContext. Because
| Spring's ResourceXmlApplicationContext instantiates all singleton
| beans before the BrokerService validates the configuration,
| arbitrary code execution occurs on the broker's JVM through bean
| factory methods such as Runtime.exec().    This issue affects Apache
| ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache
| ActiveMQ All: before 5.19.4, from 6.0.0 before 6.2.3; Apache
| ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.3.    Users are
| recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the
| issue

https://activemq.apache.org/security-advisories.data/CVE-2026-34197-announcement.txt

CVE-2026-33227[3]:
| Improper validation and restriction of a classpath path name
| vulnerability in    Apache ActiveMQ Client, Apache ActiveMQ Broker,
| Apache ActiveMQ All, Apache ActiveMQ Web, Apache ActiveMQ.    In two
| instances (when creating a Stomp consumer and also browsing messages
| in the Web console) an authenticated user provided "key" value could
| be constructed to traverse the classpath due to path concatenation.
| As a result, the application is exposed to a classpath path resource
| loading vulnerability that could potentially be chained together
| with another attack to lead to exploit.      This issue affects
| Apache ActiveMQ Client: before 5.19.3, from 6.0.0 before 6.2.2;
| Apache ActiveMQ Broker: before 5.19.3, from 6.0.0 before 6.2.2;
| Apache ActiveMQ All: before 5.19.3, from 6.0.0 before 6.2.2; Apache
| ActiveMQ Web: before 5.19.3, from 6.0.0 before 6.2.2; Apache
| ActiveMQ: before 5.19.3, from 6.0.0 before 6.2.2.  Users are
| recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the
| issue. Note: 5.19.3 and 6.2.2 also fix this issue, but that is
| limited to non-Windows environments due to a path separator
| resolution bug fixed in 5.19.4 and 6.2.3.

https://activemq.apache.org/security-advisories.data/CVE-2026-33227-announcement.txt

CVE-2026-41043[4]:
| Improper Neutralization of Script-Related HTML Tags in a Web Page
| (Basic XSS) vulnerability in Apache ActiveMQ, Apache ActiveMQ Web.
| An authenticated attacker can show malicious content when browsing
| queues in the web console by overriding the content type to be HTML
| (instead of XML) and by injecting HTML into a JMS selector field.
| This issue affects Apache ActiveMQ: before 5.19.6, from 6.0.0 before
| 6.2.5; Apache ActiveMQ Web: before 5.19.6, from 6.0.0 before 6.2.5.
| Users are recommended to upgrade to version 6.2.5 or 5.19.6, which
| fixes the issue.

https://www.openwall.com/lists/oss-security/2026/04/23/5

CVE-2026-41044[5]:
| Improper Input Validation, Improper Control of Generation of Code
| ('Code Injection') vulnerability in Apache ActiveMQ, Apache ActiveMQ
| Broker, Apache ActiveMQ All.  An authenticated attacker can use the
| admin web console page to construct a malicious broker name that
| bypasses name validation to include an xbean binding that can be
| later used by a VM transport to load a remote Spring XML
| application. The attacker can then use the DestinationView mbean to
| send a message to trigger a VM transport creation that will
| reference this malicious broker name which can lead to loading the
| malicious Spring XML context file.   Because Spring's
| ResourceXmlApplicationContext instantiates all singleton beans
| before the BrokerService validates the configuration, arbitrary code
| execution occurs on the broker's JVM through bean factory methods
| such as Runtime.exec().  This issue affects Apache ActiveMQ: before
| 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ Broker: before
| 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ All: before 5.19.6,
| from 6.0.0 before 6.2.5.  Users are recommended to upgrade to
| version 6.2.5 or 5.19.6, which fixes the issue.

https://www.openwall.com/lists/oss-security/2026/04/23/6

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-40466
    https://www.cve.org/CVERecord?id=CVE-2026-40466
[1] https://security-tracker.debian.org/tracker/CVE-2026-39304
    https://www.cve.org/CVERecord?id=CVE-2026-39304
[2] https://security-tracker.debian.org/tracker/CVE-2026-34197
    https://www.cve.org/CVERecord?id=CVE-2026-34197
[3] https://security-tracker.debian.org/tracker/CVE-2026-33227
    https://www.cve.org/CVERecord?id=CVE-2026-33227
[4] https://security-tracker.debian.org/tracker/CVE-2026-41043
    https://www.cve.org/CVERecord?id=CVE-2026-41043
[5] https://security-tracker.debian.org/tracker/CVE-2026-41044
    https://www.cve.org/CVERecord?id=CVE-2026-41044

Please adjust the affected versions in the BTS as needed.