Apache ActiveMQ: Nine Vulnerabilities Disclosed, Affecting Broker and Web Console
Apache ActiveMQ users face a batch of nine vulnerabilities disclosed in late June/early July 2026, including DoS, XSS, and information disclosure flaws.

Key findings
- Nine vulnerabilities disclosed for Apache ActiveMQ between June 30 and July 2, 2026.
- Multiple denial-of-service vulnerabilities affect STOMP and OpenWire protocols.
- Cross-site scripting and improper authorization issues found in the ActiveMQ web console.
- Information disclosure risks present due to broken temporary destination isolation and LDAP entry validation.
- Affected versions include pre-5.19.8 and 6.0.0 before 6.2.7 for specific CVEs.
On June 30, 2026, a batch of nine vulnerabilities was disclosed for Apache ActiveMQ, impacting various components including the web console, STOMP connector, and core broker functionalities. These vulnerabilities, disclosed over a two-day period, range in severity from moderate to important, with several allowing for denial of service and unauthorized access.
Several vulnerabilities center on denial of service (DoS) conditions. CVE-2026-49432 and CVE-2026-53916 exploit improper input validation in the STOMP connector, while CVE-2026-50734 and CVE-2026-50750 are related to crafted frames and repeated commands within the OpenWire protocol, respectively. Additionally, CVE-2026-53917 specifically targets an unbounded header buffer in the STOMP NIO codec, and CVE-2026-53917 involves a crafted OpenWire message that can lead to a DoS.
Beyond denial of service, other critical issues include improper authorization and information disclosure. CVE-2026-49877, affecting the web console, allows authenticated low-privilege users to access administrative paths due to default Jetty configurations. CVE-2026-49434 highlights an unauthorized broker instantiation risk stemming from improper input validation in LDAP entries. Furthermore, CVE-2026-54475 points to an information disclosure vulnerability due to broken temporary destination isolation. A cross-site scripting (XSS) vulnerability, CVE-2026-52760, was also disclosed, where the web console's browse page renders message IDs without proper sanitization, potentially allowing an authenticated producer to inject malicious scripts.
The disclosed vulnerabilities affect Apache ActiveMQ versions prior to 5.19.8, and from 6.0.0 before 6.2.7 for CVE-2026-49877. Specific patches and version updates are expected to address these issues. Users are advised to consult the official Apache ActiveMQ advisories for detailed information on affected versions and remediation steps.
This coordinated disclosure event underscores the importance of regularly updating ActiveMQ instances and reviewing security configurations, particularly for components exposed to the network or administrative interfaces. The range of vulnerabilities, from DoS to information disclosure and XSS, highlights the multifaceted security challenges within messaging systems. Users should prioritize patching and monitoring for any signs of exploitation.