Classpath Path Name Vulnerability in Apache ActiveMQ Products
CVE-2026-33227

Currently unrated

Key Information:

Vendor: Apache
Status: Apache ActiveMQ Client; Apache ActiveMQ Broker; Apache ActiveMQ; Apache ActiveMQ Web
Vendor: CVE Published:; 7 April 2026

What is CVE-2026-33227?

An improper validation and restriction issue has been identified in Apache ActiveMQ, which can allow authenticated users to construct a 'key' value that can lead to unintended classpath traversal. This vulnerability primarily manifests during the creation of Stomp consumers and when browsing messages in the Web console. If exploited, it enables the loading of unintended resources due to path concatenation. Users are strongly advised to upgrade their installations to version 5.19.4 or 6.2.3, which address the issue effectively. While versions 5.19.3 and 6.2.2 also resolve this vulnerability, their fixes are applicable only in non-Windows environments due to specific path handling bugs.

Affected Version(s)

Apache ActiveMQ 0 < 5.19.3

Apache ActiveMQ 6.0.0 < 6.2.2

Apache ActiveMQ Broker 0 < 5.19.3

References

https://activemq.apache.org/security-advisories.data/CVE-...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Mar 18, 2026

Credit

Dawei Wang

CVE-2026-33227 Data

JSON