Input Validation Flaw in Apache ActiveMQ Products
CVE-2026-49434

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache ActiveMQ Broker; Apache ActiveMQ; Apache ActiveMQ All
Vendor: CVE Published:; 30 June 2026

What is CVE-2026-49434?

An improper input validation vulnerability in Apache ActiveMQ allows an attacker with the ability to publish or modify LDAP entries to instantiate unauthorized transports within the broker's JVM. This could enable the attacker to fetch malicious URLs and spawn a second BrokerService, posing a significant security risk. Users are urged to upgrade to versions 6.2.7 or 5.19.8 to mitigate this issue effectively.

Affected Version(s)

Apache ActiveMQ 0 < 5.19.8

Apache ActiveMQ 6.0.0 < 6.2.7

Apache ActiveMQ All 0 < 5.19.8

References

https://lists.apache.org/thread/hcjh7kdk4l85tb9ksmvcnkhso...

vendor-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 30, 2026
Vulnerability Reserved
May 29, 2026

Credit

@Add Content

CVE-2026-49434 Data

JSON