Code Injection Vulnerability in Apache ActiveMQ Products
CVE-2026-45505

8.8HIGH

Key Information:

Vendor: Apache
Status: Apache ActiveMQ Broker; Apache ActiveMQ All; Apache ActiveMQ
Vendor: CVE Published:; 1 June 2026

What is CVE-2026-45505?

A code injection vulnerability exists in Apache ActiveMQ due to improper input validation within the JMX-HTTP bridge. Specifically, the validation failure can allow an authenticated attacker to execute arbitrary code on the broker's JVM. The vulnerability arises when crafted discovery URIs are processed, allowing access to operations that should be restricted. For exploitation, attackers may invoke operations such as adding connectors that can trigger the loading of remote Spring XML application contexts, inadvertently executing arbitrary code due to the premature instantiation of singleton beans. It is essential for users to upgrade to the recommended versions 5.19.7 or 6.2.6 to mitigate this risk.

Affected Version(s)

Apache ActiveMQ 0 < 5.19.7

Apache ActiveMQ 6.0.0 < 6.2.6

Apache ActiveMQ All 0 < 5.19.7

References

https://nvd.nist.gov/vuln/detail/CVE-2026-34197

https://lists.apache.org/thread/7n97nddyw96w6ykldjv1h40jx...

vendor-advisory

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 1, 2026
Vulnerability Reserved
May 12, 2026

Credit

lokerxx

CVE-2026-45505 Data

JSON