CVE-2026-40466
Published: 24 April 2026
Description
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. An authenticated attacker may bypass the fix in CVE-2026-34197 by adding a connector using an HTTP Discovery transport via…
more
BrokerView.addNetworkConnector or BrokerView.addConnector through Jolokia if the activemq-http module is on the classpath. A malicious HTTP endpoint can return a VM transport through the HTTP URI which will bypass the validation added in CVE-2026-34197. The attacker can then use the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ All: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5. Users are recommended to upgrade to version 5.19.6 or 6.2.5, which fixes the issue.
Mitigating Controls (NIST 800-53 r5)AI
Enforces validation of inputs to the Jolokia interface, preventing malicious HTTP URIs and brokerConfig parameters that enable code injection via Spring XML.
Requires timely remediation of known flaws by upgrading to ActiveMQ versions 5.19.6 or 6.2.5, which directly fix this input validation bypass and code injection vulnerability.
Restricts the system to least functionality by prohibiting unnecessary modules like activemq-http or exposing Jolokia, eliminating the attack vector for adding malicious connectors.
Security SummaryAI
CVE-2026-40466 is an improper input validation and code injection vulnerability (CWE-20, CWE-94) affecting Apache ActiveMQ Broker, Apache ActiveMQ All, and Apache ActiveMQ. It allows an authenticated attacker to bypass the mitigation implemented for CVE-2026-34197 by leveraging the Jolokia interface to invoke BrokerView.addNetworkConnector or BrokerView.addConnector with an HTTP Discovery transport, provided the activemq-http module is present on the classpath. The vulnerability impacts versions of Apache ActiveMQ Broker before 5.19.6 and from 6.0.0 before 6.2.5, as well as corresponding versions of Apache ActiveMQ All and Apache ActiveMQ.
An authenticated attacker with network access can exploit this by configuring a malicious HTTP endpoint that returns a VM transport URI, evading the validation added in CVE-2026-34197. The attacker then specifies a brokerConfig parameter in the VM transport to load a remote Spring XML application context via ResourceXmlApplicationContext. Since Spring instantiates singleton beans prior to BrokerService configuration validation, this enables arbitrary code execution on the broker's JVM, such as through bean factory methods like Runtime.exec(). The CVSS v3.1 base score is 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity with low complexity and privileges required.
The Apache security advisory recommends upgrading to Apache ActiveMQ Broker version 5.19.6 or 6.2.5 (and equivalent for Apache ActiveMQ All and ActiveMQ), which address the issue. Additional details on the related CVE-2026-34197 are available at https://activemq.apache.org/security-advisories.data/CVE-2026-34197-announcement.txt.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote authenticated attackers to achieve arbitrary code execution via improper input validation and code injection in the Jolokia HTTP interface of Apache ActiveMQ, directly mapping to exploitation of a public-facing application.