CVE-2026-42253

Vulnerability

The MessageServlet in the Apache ActiveMQ web console API copies every JMS message property into an HTTP response header without any validation. This allows an attacker to overwrite or inject security headers by setting them on JMS messages that are returned by the servlet. Affected versions are Apache ActiveMQ before 5.19.7 and from 6.0.0 before 6.2.6, and Apache ActiveMQ Web before 5.19.7 and from 6.0.0 before 6.2.6 [1].

Exploitation

An attacker must be able to send JMS messages to a queue or topic that the MessageServlet will return. No special authentication is required if the web console is exposed. The attacker crafts a JMS message with property names that correspond to HTTP response headers (e.g., X-Frame-Options, Set-Cookie, Content-Type). When the MessageServlet processes the message, it copies these properties directly into the HTTP response headers, overwriting existing ones or injecting new ones [1].

Impact

Successful exploitation results in HTTP response header injection. This can lead to cross-site scripting (XSS) if the attacker injects a Set-Cookie header or manipulates caching headers, or it can bypass security policies such as X-Frame-Options or Content-Security-Policy. The attacker gains the ability to control the response headers sent to the victim's browser, potentially leading to session hijacking or other client-side attacks [1].

Mitigation

Users should upgrade to Apache ActiveMQ version 5.19.7 or 6.2.6, which fix the issue. In these versions, the MessageServlet is deprecated and disabled by default. No workaround is provided for earlier versions [1].