Apache Software Foundation: 21 Vulnerabilities Across Multiple Products Disclosed in Early July 2026
A batch of 21 vulnerabilities disclosed across Apache ActiveMQ, Tomcat, Shiro, Kerby, and HttpComponents between June 26 and July 3, 2026, impacting core functionalities.

Key findings
- 21 CVEs disclosed across Apache ActiveMQ, Tomcat, Shiro, Kerby, and HttpComponents between June 26 and July 3, 2026.
- Multiple denial-of-service vulnerabilities affect Apache ActiveMQ via STOMP, OpenWire, and crafted frames.
- Apache Tomcat vulnerabilities include authentication bypass and ignored security constraints.
- Apache Shiro 'Remember Me' cookie age verification and shiro-guice module flaws disclosed.
- Apache Kerby vulnerabilities allow pre-authentication bypass and DoS via nested ASN.1 structures.
- Apache HttpComponents Core vulnerable to resource consumption via excessive HTTP headers.
On June 26, 2026, a significant batch of 21 vulnerabilities was disclosed across multiple Apache Software Foundation products, spanning a disclosure window from June 26 to July 3, 2026. This cluster of vulnerabilities affects Apache ActiveMQ, Apache Tomcat, and Apache Shiro, with several critical and important flaws impacting core functionalities and security mechanisms. The disclosures highlight issues ranging from denial-of-service and information disclosure to authentication bypass and cross-site scripting, underscoring the need for prompt patching by users of these widely adopted open-source projects.
Apache ActiveMQ Vulnerabilities A substantial portion of the disclosed vulnerabilities, nine in total, affect Apache ActiveMQ. These issues, disclosed between June 30 and July 2, 2026, impact the broker, web console, and various connectors. CVE-2026-49434, CVE-2026-49432, CVE-2026-50734, CVE-2026-50750, and CVE-2026-53916 all relate to denial-of-service (DoS) conditions. Specifically, CVE-2026-49432 and CVE-2026-53916 involve improper input validation in the STOMP connector and an unbounded header buffer in the STOMP NIO codec, respectively. CVE-2026-50734 and CVE-2026-50750 are DoS vulnerabilities related to crafted WireFormatInfo frames and repeated BrokerInfo commands, while CVE-2026-53917 is a DoS via a crafted OpenWire Message.
Further complicating the security posture of ActiveMQ, CVE-2026-52760 presents a cross-site scripting (XSS) vulnerability in the web console, where message IDs are rendered without proper sanitization, allowing authenticated producers to inject malicious scripts. CVE-2026-49877 addresses an improper authorization flaw in the web console, where low-privilege users could access restricted paths by default due to incorrect Jetty settings. Additionally, CVE-2026-49434 points to unauthorized broker instantiation via improper input validation in LDAP entries, and CVE-2026-54475 reveals an information disclosure risk due to broken temporary destination isolation. Affected ActiveMQ versions include those prior to 5.19.8 and from 6.0.0 before 6.2.7 for specific CVEs. N1
Apache Tomcat Vulnerabilities Apache Tomcat users faced a series of vulnerabilities disclosed on June 29 and June 30, 2026. CVE-2026-55957, rated as important, allows authentication bypass when the JNDIRealm is configured to authenticate binds using GSSAPI, affecting versions from 11.0.0-M1 through 11.0.4, 10.1.0-M1 through 10.1.36, and 9.0.x. Similarly, CVE-2026-55956, also an important vulnerability, involves improper authorization where security constraints for the default servlet are ignored, impacting versions from 11.0.0-M1 through 11.0.22, 10.1.0-M1 through 10.1.55, and 9.0.x. N2
Other Tomcat vulnerabilities include CVE-2026-55955, a moderate-severity replay attack vulnerability in the EncryptionInterceptor. CVE-2026-53404, another moderate flaw, allows unexpected rule processing due to incorrect control flow in the rewrite valve. CVE-2026-50229 is a moderate XSS vulnerability in the number guess example. Lower severity issues include CVE-2026-55276 (misleading security logs) and CVE-2026-53434 (error condition not handled when configuring CRLs).
Apache Shiro and Kerby Vulnerabilities The batch also included vulnerabilities in Apache Shiro and Apache Kerby. CVE-2026-56130, disclosed on June 28, 2026, affects Apache Shiro when the "Remember me" functionality is enabled, allowing attackers to reuse expired cookies indefinitely due to a lack of server-side age verification. CVE-2026-56091, also disclosed on June 28, impacts the shiro-guice module in web servlet contexts, potentially leading to an authentication bypass via a specially crafted HTTP request.
Apache Kerby, a Kerberos implementation, saw two vulnerabilities disclosed on June 26, 2026. CVE-2026-57915, an important severity flaw, allows for Kerberos pre-authentication bypass via an unrecognized PA-DATA type. CVE-2026-57914, a moderate severity vulnerability, enables a denial-of-service condition via deeply nested ASN.1 structures.
Finally, CVE-2026-54399, disclosed on July 3, 2026, affects Debian's httpcomponents-core5, with versions 5.4.2 and earlier, and 5.5-beta1 and earlier, vulnerable to uncontrolled resource consumption in the HTTP/1.1 message parser, potentially leading to memory exhaustion via messages with excessive headers or header length.
This broad disclosure across multiple Apache projects highlights the ongoing challenges in securing complex software ecosystems. Users are strongly advised to consult the specific advisories for each affected product and apply patches or mitigations promptly to address these vulnerabilities. The span of the disclosures, from late June into early July, suggests a coordinated disclosure effort that users must be prepared to respond to swiftly.