EXECUTIVE SUMMARY:
Multiple vulnerabilities have been discovered in Apache ActiveMQ, ActiveMQ All, Broker, Client, and Stomp packages. These flaws include denial of service (DoS), stored cross-site scripting (XSS), information exposure, and privilege escalation risks. Successful exploitation could allow unauthenticated attackers to crash the message broker, consume excessive resources, intercept sensitive data between tenants, or hijack administrative sessions. The impact may result in service disruption across critical business pipelines such as payments and order processing, potentially causing significant operational downtime and data exposure.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Multiple vulnerabilities have been discovered in Apache ActiveMQ, ActiveMQ All, Broker, Client, and Stomp packages. These flaws include denial of service (DoS), stored cross-site scripting (XSS), information exposure, and privilege escalation risks. Successful exploitation could allow unauthenticated attackers to crash the message broker, consume excessive resources, intercept sensitive data between tenants, or hijack administrative sessions. The impact may result in service disruption across critical business pipelines such as payments and order processing, potentially causing significant operational downtime and data exposure.[emaillocker id="1283"]
CVE-2026-54475 with a CVSS score of 7.5 - Breaks temporary destination isolation by verifying ownership only on the client side, allowing a second connection to consume another connection’s private messages.
CVE-2026-49877 with a CVSS score of 8.1 - Grants low-privilege Web Console users default admin access because the Jetty configuration failed to restrict administrative paths.
CVE-2026-49434 with a CVSS score of 7.5 – Abuses the LdapNetworkConnector to spawn a second broker and fetch a URL controlled by an attacker.
CVE-2026-53917 with a CVSS score of 7.5 – Crashes the broker by exploiting an oversized OpenWire property map to exhaust memory.
CVE-2026-50734 with a CVSS score of 7.8 – Forces an out-of-memory crash before authentication by abusing the wire-format negotiation process.
CVE-2026-50750 with a CVSS score of 7.5 – Floods the broker with repeated BrokerInfo commands to trigger an out-of-memory crash prior to authentication.
CVE-2026-53916 with a CVSS score of 7.5 – Allows unauthenticated peers to overflow connection buffers using endless headers, reaching the broker without credentials.
CVE-2026-49432 with a CVSS score of 7.5 – Lets unauthenticated peers overflow connection buffers with negative-length headers, affecting the broker without requiring authentication.
CVE-2026-52760 with a CVSS score of 6.4 – Stores cross-site scripting in the Web Console by hiding script inside a JMS message ID, which executes when an administrator views the queue.
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/apache-activemq-vulnerabilities-cve-2026-54475/