Apache ActiveMQ, Apache ActiveMQ Broker, Apache ActiveMQ All: Authenticated user can perform RCE via DestinationView MBean exposed by Jolokia
Summary
| CVE | CVE-2026-41044 |
|---|---|
| State | PUBLISHED |
| Assigner | apache |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-04-24 11:16:22 UTC |
| Updated | 2026-04-27 14:49:13 UTC |
| Description | Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ, Apache ActiveMQ Broker, Apache ActiveMQ All. An authenticated attacker can use the admin web console page to construct a malicious broker name that bypasses name validation to include an xbean binding that can be later used by a VM transport to load a remote Spring XML application. The attacker can then use the DestinationView mbean to send a message to trigger a VM transport creation that will reference this malicious broker name which can lead to loading the malicious Spring XML context file. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ Broker: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ All: before 5.19.6, from 6.0.0 before 6.2.5. Users are recommended to upgrade to version 6.2.5 or 5.19.6, which fixes the issue. |
Risk And Classification
Primary CVSS: v3.1 8.8 HIGH from ADP
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS: 0.001040000 probability, percentile 0.281040000 (date 2026-04-27)
Problem Types: CWE-20 | CWE-94 | CWE-20 CWE-20 Improper Input Validation | CWE-94 CWE-94 Improper Control of Generation of Code ('Code Injection')
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | DECLARED | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | Secondary | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
LowUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Apache Software Foundation | Apache ActiveMQ | affected 5.19.6 semver | Not specified |
| CNA | Apache Software Foundation | Apache ActiveMQ | affected 6.0.0 6.2.5 semver | Not specified |
| CNA | Apache Software Foundation | Apache ActiveMQ Broker | affected 5.19.6 semver | Not specified |
| CNA | Apache Software Foundation | Apache ActiveMQ Broker | affected 6.0.0 6.2.5 semver | Not specified |
| CNA | Apache Software Foundation | Apache ActiveMQ All | affected 5.19.6 semver | Not specified |
| CNA | Apache Software Foundation | Apache ActiveMQ All | affected 6.0.0 6.2.5 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| activemq.apache.org/security-advisories.data/CVE-2026-41044-announcement.txt | [email protected] | activemq.apache.org | Mailing List, Vendor Advisory |
| www.openwall.com/lists/oss-security/2026/04/23/6 | af854a3a-2127-422b-91ae-364da2661108 | www.openwall.com | Mailing List, Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: jsjcw (en)
There are currently no legacy QID mappings associated with this CVE.