Apache ActiveMQ Vulnerabilities Expose Brokers to DoS, Data Access, and Web Console Risks
Apache ActiveMQ users should update their deployments after three newly disclosed vulnerabilities exposed brokers to denial-of-service attacks, broken temporary destination isolation, and improper Web Console authorization.
The flaws are tracked as CVE-2026-53917, CVE-2026-54475, and CVE-2026-49877. Apache rates all three as important in its official ActiveMQ Classic security advisories.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The issues affect Apache ActiveMQ Classic versions before 5.19.8 and versions from 6.0.0 before 6.2.7. The latest fixed releases are available through the official ActiveMQ Classic download page.
What Apache ActiveMQ Users Need to Know
Apache ActiveMQ is a widely used open-source message broker that helps applications exchange messages across distributed systems. When it fails, business applications that depend on queues, topics, and broker connections can also suffer outages.
The most direct crash risk comes from CVE-2026-53917. Apache says an authenticated user can send a crafted OpenWire message with a large encoded map size, causing unbounded memory allocation and an out-of-memory crash.
The issue is documented in the official CVE-2026-53917 advisory, which says OpenWire message property maps were unmarshalled without size validation.
| CVE | Issue Type | Main Risk | Affected Versions |
|---|---|---|---|
| CVE-2026-53917 | Memory allocation with excessive size value | Authenticated broker denial of service through OpenWire | Before 5.19.8, and 6.0.0 before 6.2.7 |
| CVE-2026-54475 | Missing authorization | Another connection may consume from a temporary destination it did not create | Before 5.19.8, and 6.0.0 before 6.2.7 |
| CVE-2026-49877 | Improper authorization | Low-privilege Web Console users may access /admin/* paths by default | Before 5.19.8, and 6.0.0 before 6.2.7 |
CVE-2026-53917 Can Crash Brokers Through OpenWire
CVE-2026-53917 affects Apache ActiveMQ, ActiveMQ All, ActiveMQ Client, and ActiveMQ Broker packages. The weakness sits in OpenWire property map processing.
If an authenticated attacker or compromised client sends a crafted OpenWire message with a very large encoded map size, the broker can attempt to allocate too much memory. That can trigger an out-of-memory condition and crash the broker.
For organizations that still allow broad client access to OpenWire endpoints, the OpenWire advisory makes this an urgent patching issue because one authenticated connection can affect service availability.
CVE-2026-54475 Breaks Temporary Destination Isolation
CVE-2026-54475 affects temporary destinations in ActiveMQ Classic. Temporary queues and topics are expected to stay isolated to the connection that created them.
Apache says that isolation was only checked on the client side. As a result, a different connection could consume from another connection’s temporary destination.
The official CVE-2026-54475 notice describes the problem as a missing authorization vulnerability affecting ActiveMQ Broker, ActiveMQ All, and ActiveMQ.
Why Temporary Destination Access Matters
Temporary destinations often support request-reply messaging patterns. Applications may use them for short-lived responses, session-specific traffic, or internal workflows that should not be visible to other clients.
If one connection can read messages meant for another connection, sensitive data can leak across application boundaries. This is especially important for shared brokers, multi-tenant environments, and systems that depend on strict message isolation.
The temporary destination advisory credits Leon Johnson for finding the issue and recommends upgrading affected deployments.
CVE-2026-49877 Exposes Admin Paths to Low-Privilege Web Users
CVE-2026-49877 affects the ActiveMQ Web Console. Apache says authenticated low-privilege Web Console users could access /admin/* paths by default because the Jetty configuration did not limit those paths to administrator roles.
The flaw does not describe unauthenticated access. An attacker would still need a valid low-privilege Web Console login, but the risk remains serious for organizations that expose the console to many internal users.
Apache explains the issue in its official CVE-2026-49877 advisory, which recommends upgrading to 6.2.7 or 5.19.8.
Why the Web Console Risk Should Not Be Ignored
Management consoles deserve tighter controls than regular broker clients. Even when they sit behind authentication, overbroad access can give low-privilege accounts visibility or actions they should not have.
Administrators should review who can access the Web Console, which roles they hold, and whether the console is reachable from untrusted networks. Internet-exposed management interfaces create unnecessary risk.
The Web Console advisory also confirms that the vulnerable ranges cover ActiveMQ before 5.19.8 and 6.0.0 before 6.2.7.
Fixed Versions and Upgrade Guidance
Apache released ActiveMQ Classic 5.19.8 and 6.2.7 on June 29, 2026. These releases address the affected version ranges and should be prioritized for production brokers.
The official download page lists 6.2.7 as the latest patch version for the supported 6.2.x series and 5.19.8 as the latest patch version for the supported 5.19.x series.
The broader ActiveMQ security page also lists these three CVEs alongside other recent advisories, showing that ActiveMQ Classic has received several security-focused updates in 2026.
Recommended Actions for Administrators
Organizations should treat these updates as a priority if ActiveMQ supports payment systems, order processing, internal event streams, or other critical workflows.
- Upgrade affected brokers to ActiveMQ Classic 5.19.8 or 6.2.7.
- Restrict broker ports to trusted clients and networks.
- Limit Web Console access to administrators only.
- Audit low-privilege Web Console accounts and remove unused users.
- Monitor for broker crashes, out-of-memory errors, and unusual OpenWire traffic.
- Check whether applications rely on temporary destinations for sensitive data flows.
- Review logs for unexpected access to /admin/* paths.
FAQ
The three vulnerabilities are CVE-2026-53917, CVE-2026-54475, and CVE-2026-49877. They affect OpenWire message handling, temporary destination authorization, and Web Console admin path access.
The affected ranges are Apache ActiveMQ versions before 5.19.8 and versions from 6.0.0 before 6.2.7. Administrators should upgrade to a fixed supported release.
Yes. Apache says an authenticated user can send a crafted OpenWire message with a large encoded map size, which can trigger excessive memory allocation, cause an out-of-memory condition, and crash the broker.
CVE-2026-54475 can break temporary destination isolation. A different connection may consume from another connection’s temporary destination, which can expose messages that should stay isolated.
Administrators should upgrade to ActiveMQ Classic 5.19.8 or 6.2.7, restrict broker and Web Console access, review user roles, monitor for crashes, and check logs for suspicious access to admin paths or temporary destinations.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages