Improper Input Validation in Apache ActiveMQ Products by Apache
CVE-2026-49432

Currently unrated

Key Information:

Vendor: Apache
Status: Apache ActiveMQ; Apache ActiveMQ All; Apache ActiveMQ Stomp
Vendor: CVE Published:; 30 June 2026

What is CVE-2026-49432?

An improper input validation vulnerability exists in Apache ActiveMQ that can be exploited by a remote, unauthenticated attacker. This vulnerability enables the attacker to cause denial-of-service (DoS) conditions by sending a negative content-length to an exposed STOMP connector. For connections using the NIO STOMP transport, attackers can continuously stream body bytes, leading to a potential out-of-memory (OOM) situation due to the command buffer exceeding its configured limits. In the case of blocking STOMP protocol, it forces abnormal exception handling, leading to the termination of the affected connection. Users should promptly upgrade to version 5.19.8 or 6.2.7 to mitigate this vulnerability.

Affected Version(s)

Apache ActiveMQ 0 < 5.19.8

Apache ActiveMQ 6.0.0 < 6.2.7

Apache ActiveMQ All 0 < 5.19.8

References

https://lists.apache.org/thread/fsjb26605syqr8xks249h8gkp...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 30, 2026
Vulnerability Reserved
May 29, 2026

Credit

Youngjoon Kim

CVE-2026-49432 Data

JSON