PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-42588 Apache Software Foundation CVE debrief

Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on its web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String). An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter using the 'masterslave://' URL scheme, which can allow loading a Spring XML application context via ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec().

Vendor
Apache Software Foundation
Product
Apache ActiveMQ Broker
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-01
Original CVE updated
2026-06-01
Advisory published
2026-06-01
Advisory updated
2026-06-01

Who should care

Organizations running Apache ActiveMQ Classic versions prior to 5.19.7 or 6.0.0-6.2.5 with the web console and Jolokia JMX-HTTP bridge enabled. Security teams responsible for messaging infrastructure, Java application security, and Spring Framework deployments should prioritize patching.

Technical summary

This vulnerability in Apache ActiveMQ Classic stems from improper input validation (CWE-20) and code injection (CWE-94). The Jolokia JMX-HTTP bridge, exposed at /api/jolokia/ on the web console, uses a default access policy that permits exec operations on all org.apache.activemq:* MBeans. The BrokerService.addNetworkConnector(String) MBean operation accepts a discovery URI parameter that is not sufficiently validated. An authenticated attacker can supply a crafted URI using the masterslave:// scheme with a brokerConfig parameter pointing to a malicious Spring XML configuration. The ResourceXmlApplicationContext loads and instantiates all singleton beans before ActiveMQ validates the broker configuration, enabling arbitrary code execution through bean factory methods like Runtime.exec(). The attack requires authentication to the Jolokia endpoint but results in full remote code execution on the broker JVM.

Defensive priority

critical

Recommended defensive actions

  • Upgrade Apache ActiveMQ to version 5.19.7 or 6.2.6 or later, which fixes this issue.
  • If immediate patching is not feasible, restrict access to the Jolokia JMX-HTTP bridge at /api/jolokia/ to trusted administrative hosts only.
  • Review and harden Jolokia access policies to limit exec operations on ActiveMQ MBeans, particularly BrokerService.addNetworkConnector(String).
  • Monitor for suspicious requests to /api/jolokia/ containing crafted discovery URIs with masterslave:// or brokerConfig parameters.
  • Audit broker configurations for unexpected network connectors or Spring XML application context loads.

Evidence notes

CVE published 2026-06-01. Affects Apache ActiveMQ Broker before 5.19.7 and from 6.0.0 before 6.2.6; Apache ActiveMQ All before 5.19.7 and from 6.0.0 before 6.2.6; Apache ActiveMQ before 5.19.7 and from 6.0.0 before 6.2.6. CWE-20 (Improper Input Validation) and CWE-94 (Improper Control of Generation of Code/Code Injection) identified by [email protected].

Official resources

2026-06-01