PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-41044 Apache Software Foundation CVE debrief

CVE-2026-41044 is a critical vulnerability in Apache ActiveMQ, Apache ActiveMQ Broker, and Apache ActiveMQ All. The vulnerability is caused by improper input validation and code injection, allowing an authenticated attacker to construct a malicious broker name that bypasses name validation. This can lead to arbitrary code execution on the broker's JVM. The vulnerability affects Apache ActiveMQ versions before 5.19.6 and 6.0.0 to 6.2.5. Users are recommended to upgrade to version 6.2.5 or 5.19.6 to fix the issue. The CVSS score for this vulnerability is 8.8, indicating a high severity. The vulnerability was published on April 24, 2026, and modified on June 30, 2026.

Vendor
Apache Software Foundation
Product
Apache ActiveMQ
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-24
Original CVE updated
2026-06-30
Advisory published
2026-04-24
Advisory updated
2026-06-30

Who should care

Apache ActiveMQ users, administrators, and security teams should be aware of this vulnerability and take immediate action to upgrade to a fixed version. Additionally, security teams should monitor for potential exploitation attempts and review their inventory of affected systems. Red Hat users can also refer to the related bug report and security advisories for more information.

Technical summary

The vulnerability is caused by improper input validation and code injection in Apache ActiveMQ. An authenticated attacker can use the admin web console page to construct a malicious broker name that bypasses name validation, leading to arbitrary code execution on the broker's JVM. The attacker can use the DestinationView mbean to send a message to trigger a VM transport creation that references the malicious broker name, loading the malicious Spring XML context file. This allows for code execution through bean factory methods such as Runtime.exec().

Defensive priority

High priority should be given to upgrading Apache ActiveMQ to version 6.2.5 or 5.19.6. Additionally, security teams should monitor for potential exploitation attempts and review their inventory of affected systems.

Recommended defensive actions

  • Upgrade Apache ActiveMQ to version 6.2.5 or 5.19.6
  • Monitor for potential exploitation attempts
  • Review inventory of affected systems
  • Refer to related bug report and security advisories for more information
  • Implement additional security measures to prevent code injection attacks

Evidence notes

The vulnerability was published on April 24, 2026, and modified on June 30, 2026. The CVSS score for this vulnerability is 8.8, indicating a high severity. The vulnerability affects Apache ActiveMQ versions before 5.19.6 and 6.0.0 to 6.2.5. Users are recommended to upgrade to version 6.2.5 or 5.19.6 to fix the issue.

Official resources

This article is AI-assisted and based on the supplied source corpus.