PatchSiren cyber security CVE debrief
CVE-2026-41044 Apache Software Foundation CVE debrief
CVE-2026-41044 is a critical vulnerability in Apache ActiveMQ, Apache ActiveMQ Broker, and Apache ActiveMQ All. The vulnerability is caused by improper input validation and code injection, allowing an authenticated attacker to construct a malicious broker name that bypasses name validation. This can lead to arbitrary code execution on the broker's JVM. The vulnerability affects Apache ActiveMQ versions before 5.19.6 and 6.0.0 to 6.2.5. Users are recommended to upgrade to version 6.2.5 or 5.19.6 to fix the issue. The CVSS score for this vulnerability is 8.8, indicating a high severity. The vulnerability was published on April 24, 2026, and modified on June 30, 2026.
- Vendor
- Apache Software Foundation
- Product
- Apache ActiveMQ
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-24
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-04-24
- Advisory updated
- 2026-06-30
Who should care
Apache ActiveMQ users, administrators, and security teams should be aware of this vulnerability and take immediate action to upgrade to a fixed version. Additionally, security teams should monitor for potential exploitation attempts and review their inventory of affected systems. Red Hat users can also refer to the related bug report and security advisories for more information.
Technical summary
The vulnerability is caused by improper input validation and code injection in Apache ActiveMQ. An authenticated attacker can use the admin web console page to construct a malicious broker name that bypasses name validation, leading to arbitrary code execution on the broker's JVM. The attacker can use the DestinationView mbean to send a message to trigger a VM transport creation that references the malicious broker name, loading the malicious Spring XML context file. This allows for code execution through bean factory methods such as Runtime.exec().
Defensive priority
High priority should be given to upgrading Apache ActiveMQ to version 6.2.5 or 5.19.6. Additionally, security teams should monitor for potential exploitation attempts and review their inventory of affected systems.
Recommended defensive actions
- Upgrade Apache ActiveMQ to version 6.2.5 or 5.19.6
- Monitor for potential exploitation attempts
- Review inventory of affected systems
- Refer to related bug report and security advisories for more information
- Implement additional security measures to prevent code injection attacks
Evidence notes
The vulnerability was published on April 24, 2026, and modified on June 30, 2026. The CVSS score for this vulnerability is 8.8, indicating a high severity. The vulnerability affects Apache ActiveMQ versions before 5.19.6 and 6.0.0 to 6.2.5. Users are recommended to upgrade to version 6.2.5 or 5.19.6 to fix the issue.
Official resources
-
CVE-2026-41044 CVE record
CVE.org
-
CVE-2026-41044 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Mailing List, Vendor Advisory
-
Mitigation or vendor reference
af854a3a-2127-422b-91ae-364da2661108 - Mailing List, Third Party Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.