Threat Advisory

ActiveMQ Vulnerabilities Permit Unauthorized Queue Deletion

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: Critical
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in Apache ActiveMQ deployments, particularly affecting the 5.x and 6.x product lines prior to the latest releases. The flaws span remote code execution via the Jolokia management bridge, a bypass of security controls that permits loading of malicious configurations, improper handling of message‑derived HTTP headers that can lead to cross‑site scripting, and default authentication settings that grant excessive privileges to low‑privilege accounts. Collectively, these weaknesses enable attackers to execute arbitrary commands on the broker host, manipulate message queues, and compromise client‑facing applications, posing a serious risk to data integrity, confidentiality, and continuity of business operations.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in Apache ActiveMQ deployments, particularly affecting the 5.x and 6.x product lines prior to the latest releases. The flaws span remote code execution via the Jolokia management bridge, a bypass of security controls that permits loading of malicious configurations, improper handling of message‑derived HTTP headers that can lead to cross‑site scripting, and default authentication settings that grant excessive privileges to low‑privilege accounts. Collectively, these weaknesses enable attackers to execute arbitrary commands on the broker host, manipulate message queues, and compromise client‑facing applications, posing a serious risk to data integrity, confidentiality, and continuity of business operations.[emaillocker id="1283"]

  • CVE-2026-42588 – A code injection vulnerability in the Jolokia bridge allows an authenticated attacker to craft a discovery address that triggers arbitrary code execution within the ActiveMQ JVM.
  • CVE-2026-45505 – This bypass flaw lets attackers use malformed, non‑parenthesized discovery wrappers to evade validation checks and force the broker to load malicious remote configurations, requiring only authentication.
  • CVE-2026-42253 – An input validation issue in MessageServlet copies incoming message attributes directly into HTTP response headers without sanitization, enabling header injection and cross‑site scripting attacks against web users.
  • CVE-2026-49157 – Default authentication misconfiguration grants low‑privilege accounts full administrative rights, allowing non‑admin users to create or delete queues and disrupt normal data flows.

The combined exposure presents a high‑impact threat that could be leveraged quickly by adversaries familiar with ActiveMQ’s management interfaces. If exploited, organizations risk unauthorized code execution, data loss, and interruption of critical messaging pipelines, underscoring the need for immediate attention from leadership.

RECOMMENDATION:

  • We recommend you to update Apache ActiveMQ to version 5.19.7 or 6.2.6.

REFERENCES:

The following reports contain further technical details:
https://securityonline.info/activemq-security-flaws-jolokia-exploit/

[/emaillocker]
crossmenu