Code Injection Vulnerability in Apache ActiveMQ Broker by Apache
CVE-2026-42588

Currently unrated

Key Information:

Vendor: Apache
Status: Apache ActiveMQ Broker; Apache ActiveMQ All; Apache ActiveMQ
Vendor: CVE Published:; 1 June 2026

What is CVE-2026-42588?

Apache ActiveMQ Classic has a vulnerability due to improper input validation. The Jolokia JMX-HTTP bridge allows authenticated attackers to perform exec operations on ActiveMQ MBeans by using a crafted discovery URI. This manipulation could trigger arbitrary code execution on the broker's JVM by loading a Spring XML application context. The vulnerability impacts various versions of Apache ActiveMQ Broker, ActiveMQ All, and ActiveMQ products, urging users to upgrade to the fixed versions 5.19.7 or 6.2.6 to mitigate the risks.

Affected Version(s)

Apache ActiveMQ 0 < 5.19.7

Apache ActiveMQ 6.0.0 < 6.2.6

Apache ActiveMQ All 0 < 5.19.7

References

https://lists.apache.org/thread/ns0zktfo16s9ql2mmtqtlb6p6...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 1, 2026
Vulnerability Reserved
Apr 28, 2026

Credit

pyn3rd

uname

4ra1n

CVE-2026-42588 Data

JSON