CVE-2026-42588

Vulnerability

The vulnerability is an improper input validation and code injection in Apache ActiveMQ Classic. The Jolokia JMX-HTTP bridge is exposed at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String). An authenticated attacker can invoke this operation with a crafted discovery URI that triggers the VM transport's brokerConfig parameter using a masterslave:// URL, which can load a Spring XML application context via ResourceXmlApplicationContext. This affects versions before 5.19.7 and from 6.0.0 before 6.2.6 for all three distributions: activemq-broker, activemq-all, and apache-activemq. [1]

Exploitation

An attacker needs authentication to the ActiveMQ web console (default credentials or valid session). The attacker sends a crafted JMX operation request to /api/jolokia/ invoking BrokerService.addNetworkConnector with a discovery URI that includes a masterslave:// URL pointing to an attacker-controlled Spring XML configuration. The ResourceXmlApplicationContext loads and instantiates all singleton beans from the XML before the BrokerService validates the configuration. This allows execution of arbitrary code through bean factory methods such as Runtime.exec(). [1]

Impact

Successful exploitation results in arbitrary code execution on the broker's JVM. The attacker gains full control of the ActiveMQ broker process, leading to potential data exfiltration, service disruption, or lateral movement within the network. The impact is high, with CVSS severity important. [1]

Mitigation

Upgrade to version 5.19.7 or 6.2.6, which fixes the issue. No workarounds are mentioned in the reference. Users should restrict access to the Jolokia endpoint and ensure strong authentication. [1]