Critical Apache ActiveMQ Vulnerability Allows Malicious Security Header Injections
A critical vulnerability (CVE-2026-42253) in Apache ActiveMQ allows attackers to inject malicious HTTP security headers via message properties, potentially leading to XSS and response manipulation.
A critical vulnerability has been disclosed in Apache ActiveMQ, enabling attackers to inject malicious HTTP security headers by exploiting improperly handled message properties. This flaw, tracked as CVE-2026-42253, could lead to cross-site scripting (XSS) and response manipulation attacks within affected deployments.
The vulnerability stems from the MessageServlet within the ActiveMQ web console API. This component copies all Java Message Service (JMS) message properties directly into HTTP response headers without adequate validation or sanitization. This oversight creates a significant attack surface, allowing adversaries to craft JMS messages with malicious header values, thereby achieving HTTP response header injection.
HTTP headers are crucial for enforcing browser-side security controls such as Content Security Policy (CSP), X-Frame-Options, and Strict-Transport-Security (HSTS). By manipulating these headers, attackers can weaken security protections, potentially enabling attacks like XSS, session hijacking, or clickjacking, especially if the ActiveMQ web console is accessible to untrusted users or integrated into enterprise workflows.
The vulnerability affects Apache ActiveMQ versions prior to 5.19.7 and versions from 6.0.0 up to, but not including, 6.2.6. Similarly, Apache ActiveMQ Web versions before 5.19.7 and 6.x versions before 6.2.6 are also impacted.
The Apache Software Foundation has addressed this issue by disabling and deprecating the MessageServlet component in patched releases, thereby reducing the attack surface. In a related development, a separate vulnerability, CVE-2026-49157, has been identified in Apache ActiveMQ concerning incorrect default permissions. This flaw allows authenticated low-privilege users to access Jolokia broker management endpoints, potentially enabling them to perform sensitive broker operations usually reserved for administrators.
These vulnerabilities underscore systemic risks associated with management interfaces exposed via web consoles and APIs, particularly when input validation and access control are insufficient. Threat actors could potentially chain these issues to manipulate broker behavior while simultaneously undermining frontend security measures.
Security researchers Vishal Shukla, pyn3rd, uname, and 4ra1n are credited with discovering the header injection flaw, while Leon Johnson reported the Jolokia permission issue. Organizations utilizing Apache ActiveMQ are strongly advised to upgrade to versions 5.19.7 or 6.2.6 immediately. Administrators should also review the exposure of the ActiveMQ web console, restrict access to trusted networks, and audit message-handling logic to prevent the unsafe propagation of user-controlled data into HTTP responses.