Code Injection Vulnerability in Apache ActiveMQ Products
CVE-2026-41044

Currently unrated

Key Information:

Vendor: Apache
Status: Apache ActiveMQ; Apache ActiveMQ Broker; Apache ActiveMQ All
Vendor: CVE Published:; 24 April 2026

What is CVE-2026-41044?

A vulnerability in Apache ActiveMQ allows authenticated attackers to exploit improper input validation to perform code injection via the admin web console. By crafting a malicious broker name that bypasses the input validation, attackers can utilize the DestinationView mbean to create a VM transport, triggering the loading of a malicious Spring XML application context. As a result, arbitrary code execution may occur on the broker's JVM through bean factory methods, exposing systems to significant risks. It is crucial for users to upgrade to versions 6.2.5 or 5.19.6 to mitigate this risk.

Affected Version(s)

Apache ActiveMQ 0 < 5.19.6

Apache ActiveMQ 6.0.0 < 6.2.5

Apache ActiveMQ All 0 < 5.19.6

References

https://activemq.apache.org/security-advisories.data/CVE-...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 24, 2026
Vulnerability Reserved
Apr 16, 2026

Credit

jsjcw

CVE-2026-41044 Data

JSON