CVE-2026-42253 Apache Software Foundation CVE debrief

Who should care

Organizations running Apache ActiveMQ with the web console enabled, particularly those exposing MessageServlet endpoints to untrusted users or processing JMS messages from external sources.

Technical summary

The MessageServlet in Apache ActiveMQ's web console API iterates over JMS message properties and copies each into the HTTP response headers without sanitization or validation. This allows an attacker who can control JMS message properties to inject arbitrary HTTP response headers, including overwriting security headers such as Content-Security-Policy, X-Frame-Options, or Set-Cookie. The behavior constitutes improper neutralization of input during web page generation (CWE-79) and can facilitate cross-site scripting or response splitting attacks. The fix in versions 5.19.7 and 6.2.6 deprecates and disables the MessageServlet by default.

Defensive priority

high

Recommended defensive actions

• Upgrade Apache ActiveMQ to version 5.19.7 or 6.2.6 or later.
• If immediate upgrade is not possible, disable or restrict access to the MessageServlet in the ActiveMQ web console.
• Review HTTP response headers in ActiveMQ web console responses for unexpected or injected values.
• Monitor JMS message properties for values resembling HTTP header names (e.g., 'Content-Type', 'Set-Cookie', 'X-Frame-Options').
• Audit access logs for requests to MessageServlet endpoints that may indicate exploitation attempts.

Evidence notes

CVE published 2026-06-01. Advisory references confirm Apache security team disclosure. No KEV listing.

Official resources