Classpath Path Name Vulnerability in Apache ActiveMQ Products
CVE-2026-33227

4.3MEDIUM

Key Information:

Vendor: Apache
Status: Apache ActiveMQ Client; Apache ActiveMQ Broker; Apache ActiveMQ All; Apache ActiveMQ Web
Vendor: CVE Published:; 7 April 2026

What is CVE-2026-33227?

An improper validation and restriction issue has been identified in Apache ActiveMQ, which can allow authenticated users to construct a 'key' value that can lead to unintended classpath traversal. This vulnerability primarily manifests during the creation of Stomp consumers and when browsing messages in the Web console. If exploited, it enables the loading of unintended resources due to path concatenation. Users are strongly advised to upgrade their installations to version 5.19.4 or 6.2.3, which address the issue effectively. While versions 5.19.3 and 6.2.2 also resolve this vulnerability, their fixes are applicable only in non-Windows environments due to specific path handling bugs.

Affected Version(s)

Apache ActiveMQ 0 < 5.19.3

Apache ActiveMQ 6.0.0 < 6.2.2

Apache ActiveMQ All 0 < 5.19.3

References

https://activemq.apache.org/security-advisories.data/CVE-...

vendor-advisory

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Mar 18, 2026

Credit

Dawei Wang

CVE-2026-33227 Data

JSON