Apache ActiveMQ Vulnerabilities Expose Systems to DoS and Unauthorized Access

Administrators utilizing Apache ActiveMQ are urged to promptly update their systems following the disclosure of three significant vulnerabilities that could lead to denial-of-service (DoS) attacks and unauthorized access. These vulnerabilities, identified as CVE-2026-53917, CVE-2026-54475, and CVE-2026-49877, affect both the 5.x and 6.x versions of ActiveMQ and pose substantial risks to messaging infrastructures.

Details of the Vulnerabilities

CVE-2026-53917 pertains to a flaw in the unmarshalling process of OpenWire message property maps. An authenticated user can send a specially crafted OpenWire message with an excessively large encoded map size. The broker, lacking proper validation, attempts to allocate memory for this size, potentially leading to an out-of-memory condition and subsequent crash. This vulnerability impacts Apache ActiveMQ versions prior to 5.19.8 and from 6.0.0 up to 6.2.7, including the All, Client, and Broker artifacts within these versions.

CVE-2026-54475 addresses an authorization oversight in ActiveMQ Classic’s handling of temporary destinations. These destinations are intended to be exclusive to the connection that created them. However, due to insufficient verification by the broker, other connections can consume messages from these temporary destinations, violating the expected isolation and potentially leading to unauthorized access. This issue affects Apache ActiveMQ versions before 5.19.8 and from 6.0.0 through 6.2.7.

CVE-2026-49877 involves improper authorization within the Apache ActiveMQ Web Console. Default Jetty configurations fail to restrict administrative paths under /admin/* exclusively to users with administrative roles. Consequently, authenticated users with lower privileges can access critical administrative functions, allowing them to alter settings or perform unauthorized actions. This vulnerability is present in Apache ActiveMQ versions prior to 5.19.8 and from 6.0.0 up to 6.2.7.

Recommended Actions

To mitigate these vulnerabilities, Apache recommends that all affected users upgrade to ActiveMQ version 6.2.7 or 5.19.8. These updates introduce stricter validation and authorization controls to address the identified issues. Prompt application of these patches is crucial to maintain the security and stability of messaging infrastructures.

These vulnerabilities underscore the importance of regular system updates and vigilant monitoring of security advisories. Organizations should assess their current ActiveMQ deployments, apply the necessary patches, and review their security configurations to prevent potential exploitation. Staying informed about such vulnerabilities and responding swiftly is essential in safeguarding critical communication systems against emerging threats.