TL;DR
Apache patched nine Apache ActiveMQ vulnerabilities in version 6.2.7. Most cause denial of service, and several need no login. One flaw lets a connection hijack another connection’s temporary destination. Apache reports no in-the-wild exploitation so far.
Why It Matters
ActiveMQ moves messages for countless Java applications and microservices. Many brokers also sit exposed on the public internet. Past scans found thousands of reachable instances, and attackers have hit ActiveMQ before. So these Apache ActiveMQ vulnerabilities deserve fast attention. Five flaws rate “important.” Four of them let an unauthenticated attacker crash a broker. A crashed broker also stalls every service that depends on it. That can ripple across payments, orders, and event pipelines.
How the Attacks Work
Access and authorization flaws
CVE-2026-54475 breaks temporary destination isolation. The broker verifies ownership only on the client side. So a second connection can consume another connection’s private messages. That gap can expose replies and request data between separate tenants. CVE-2026-49877 leaves low-privilege Web Console users with admin access by default, because the Jetty configuration did not restrict /admin/* paths. A curious or malicious account could then reach broker administration. CVE-2026-49434 abuses the LdapNetworkConnector to spawn a second broker and fetch an attacker-controlled URL.
Denial-of-service flaws
Most issues exhaust broker memory. CVE-2026-53917 crashes the broker through an oversized OpenWire property map. CVE-2026-50734 and CVE-2026-50750 both force out-of-memory crashes before authentication. The first abuses wire-format negotiation. The second floods the broker with repeated BrokerInfo commands. On the STOMP side, CVE-2026-53916 and CVE-2026-49432 let unauthenticated peers overflow connection buffers with endless or negative-length headers. Both STOMP flaws reach the broker without any credentials. So one exposed connector is enough for an attacker to start.
Web Console scripting
CVE-2026-52760 stores cross-site scripting in the Web Console. An authenticated producer hides script inside a JMS message ID. That code then runs when an administrator browses the queue. The session runs with that admin’s privileges, which widens the blast radius.
Affected Versions
The flaws affect the Apache ActiveMQ, ActiveMQ All, Broker, Client, and Stomp packages before 5.19.8, plus the 6.0.0 line before 6.2.7. The two pre-auth OpenWire DoS issues mainly hit the 5.19.7 and 6.2.6 builds. The exact package set varies by CVE, so check each advisory against your deployment.
Patch and Mitigation
Apache fixed every issue in version 6.2.7, with 5.19.8 covering the 5.x branch. So upgrade to 6.2.7 or 5.19.8 without delay. You can grab the release from the official ActiveMQ download page. Until you patch, restrict broker ports and the Web Console to trusted networks. Also enable authentication on every connector and disable unused transports. Review your LDAP search filters if you run the LdapNetworkConnector. Audit Web Console roles after upgrading, since the admin-path default changes. No public proof-of-concept has surfaced for these Apache ActiveMQ vulnerabilities. Even so, the unauthenticated DoS bugs need little skill to abuse.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.