Code Injection Vulnerability in Apache ActiveMQ Broker by Apache
CVE-2026-42588

8.1HIGH

Key Information:

Vendor: Apache
Status: Apache ActiveMQ Broker; Apache ActiveMQ All; Apache ActiveMQ
Vendor: CVE Published:; 1 June 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-42588?

Apache ActiveMQ Classic has a vulnerability due to improper input validation. The Jolokia JMX-HTTP bridge allows authenticated attackers to perform exec operations on ActiveMQ MBeans by using a crafted discovery URI. This manipulation could trigger arbitrary code execution on the broker's JVM by loading a Spring XML application context. The vulnerability impacts various versions of Apache ActiveMQ Broker, ActiveMQ All, and ActiveMQ products, urging users to upgrade to the fixed versions 5.19.7 or 6.2.6 to mitigate the risks.

Affected Version(s)

Apache ActiveMQ 0 < 5.19.7

Apache ActiveMQ 6.0.0 < 6.2.6

Apache ActiveMQ All 0 < 5.19.7

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-42588
Created by hnytgl

References

https://lists.apache.org/thread/ns0zktfo16s9ql2mmtqtlb6p6...

vendor-advisory

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jun 6, 2026
👾
Exploit known to exist
Jun 6, 2026
Vulnerability published
Jun 1, 2026
Vulnerability Reserved
Apr 28, 2026

Credit

pyn3rd

uname

4ra1n

CVE-2026-42588 Data

JSON