CVE-2026-41044
Published: 24 April 2026
Description
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ, Apache ActiveMQ Broker, Apache ActiveMQ All. An authenticated attacker can use the admin web console page to construct a malicious broker name that bypasses name…
more
validation to include an xbean binding that can be later used by a VM transport to load a remote Spring XML application. The attacker can then use the DestinationView mbean to send a message to trigger a VM transport creation that will reference this malicious broker name which can lead to loading the malicious Spring XML context file. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ Broker: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ All: before 5.19.6, from 6.0.0 before 6.2.5. Users are recommended to upgrade to version 6.2.5 or 5.19.6, which fixes the issue.
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the improper input validation vulnerability by requiring validation of all inputs to the ActiveMQ admin web console to block malicious broker names containing xbean bindings.
Mitigates the vulnerability comprehensively by requiring timely flaw remediation through upgrading to patched ActiveMQ versions 5.19.6 or 6.2.5.
Enforces secure configuration settings for ActiveMQ to implement strict broker name restrictions and prevent validation bypass leading to code injection.
Security SummaryAI
CVE-2026-41044 is an improper input validation and code injection vulnerability (CWE-20, CWE-94) affecting Apache ActiveMQ, Apache ActiveMQ Broker, and Apache ActiveMQ All. It enables an authenticated attacker to manipulate the admin web console by crafting a malicious broker name that evades validation, embedding an xbean binding. This binding can subsequently be exploited via a VM transport to load a remote Spring XML application context. The vulnerability impacts versions of Apache ActiveMQ prior to 5.19.6 and from 6.0.0 prior to 6.2.5, as well as the corresponding Broker and All components, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An attacker with low-privilege authenticated access (PR:L) can exploit this remotely over the network with no user interaction required. By first setting a malicious broker name in the admin console that includes the xbean binding, the attacker then leverages the DestinationView MBean to dispatch a message. This triggers VM transport creation referencing the tainted broker name, causing the broker's JVM to load and instantiate the remote malicious Spring XML context. Due to Spring's ResourceXmlApplicationContext instantiating singleton beans prior to BrokerService validation, the attacker achieves arbitrary code execution through bean factory methods like Runtime.exec().
The Apache ActiveMQ security advisory recommends upgrading to version 5.19.6 or 6.2.5, which address the issue by fixing the validation bypass and related code injection risks. Details are available in the official announcement at https://activemq.apache.org/security-advisories.data/CVE-2026-41044-announcement.txt and the oss-security mailing list at http://www.openwall.com/lists/oss-security/2026/04/23/6.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2026-41044 enables remote code execution through improper input validation in the ActiveMQ admin web console (T1190: Exploit Public-Facing Application) and facilitates privilege escalation from low-privileged authenticated access to arbitrary code execution as the broker service (T1068: Exploitation for Privilege Escalation).