HIGH 8.1

CVE-2026-42588: Apache ActiveMQ Remote Code Execution via Jolokia Code Injection

Apache ActiveMQ's web console exposes a remote interface (Jolokia) that allows authenticated users to interact with the message broker's management functions. An attacker who has legitimate access credentials can craft a specially formed network connector request that tricks the broker into loading and executing arbitrary code hidden in a Spring XML configuration file. The vulnerability exists because the broker doesn't properly validate the input before processing it, and Spring automatically instantiates code within those XML files before any security checks occur.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Weaknesses (CWE)
CWE-20, CWE-94
Affected products
2 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String). An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter using the "masterslave:// " URL which can allow loading a Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6. Users are recommended to upgrade to version 5.19.7 or 6.2.6, which fixes the issue.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-42588 is a code injection flaw in Apache ActiveMQ stemming from improper input validation on the Jolokia JMX-HTTP bridge (exposed at /api/jolokia/). The default Jolokia policy permits exec operations against ActiveMQ MBeans, including BrokerService.addNetworkConnector(). An authenticated attacker can invoke this method with a crafted discovery URI using the "masterslave://" transport scheme, which triggers the broker's VM transport configuration parameter. This parameter leverages Spring's ResourceXmlApplicationContext to load an external or attacker-controlled XML file. Because Spring instantiates all singleton beans—including those with factory methods like Runtime.exec()—before BrokerService validates the configuration, arbitrary code execution occurs in the broker's JVM context. The flaw affects ActiveMQ versions before 5.19.7 and 6.x versions before 6.2.6.

Business impact

Successful exploitation enables an authenticated attacker to execute arbitrary code on the ActiveMQ broker server with the privileges of the ActiveMQ process. In production environments, this typically means the attacker can read/write messages, access message contents, pivot to other systems sharing the broker's network trust, exfiltrate data, deploy malware, or disrupt message queuing operations entirely. Organizations relying on ActiveMQ for critical asynchronous processing, payment systems, order management, or inter-service communication face operational downtime and potential data breach scenarios.

Affected systems

Apache ActiveMQ Broker, Apache ActiveMQ All, and Apache ActiveMQ versions are affected: 5.x branch before version 5.19.7, and 6.x branch before version 6.2.6. The vulnerability requires that Jolokia remain accessible on the web console (default configuration) and that an attacker possess valid authentication credentials to the management interface. Air-gapped or internal-only deployments are still at risk if an insider or compromised internal service has access.

Exploitability

Exploitation requires authentication—an attacker must have valid credentials to access the Jolokia interface. However, this requirement is not a strong protection in practice: many organizations use weak or shared credentials, inherit default credentials, or inadvertently expose the management console to trusted network segments where lateral movement is possible. Once authenticated, the attack is deterministic; no user interaction is needed. The crafted discovery URI can be delivered programmatically. The code injection mechanism is reliable because Spring's bean instantiation is a core framework behavior and cannot be disabled selectively.

Remediation

Organizations should upgrade Apache ActiveMQ to version 5.19.7 or 6.2.6 or later, which fixes the input validation issue and restricts what operations can be performed via Jolokia. Prior to patching, apply network segmentation to restrict access to the ActiveMQ web console (typically port 8161) to only authorized administrator networks. Disable or restrict the Jolokia bridge if not required for operations. Review access logs to identify any suspicious exec invocations. Assume compromise if exploitation is suspected and rotate credentials used by downstream services connecting to ActiveMQ.

Patch guidance

Verify the specific patch versions from the official Apache ActiveMQ security advisory. Apply version 5.19.7 or later for the 5.x branch, or 6.2.6 or later for the 6.x branch. Test patches in a non-production environment first, as ActiveMQ upgrades may require verification of client compatibility and message broker restart procedures. Plan for scheduled downtime; in-place upgrades are typically supported but should be validated. After upgrade, verify that the Jolokia endpoint no longer accepts the malicious masterslave:// URI by testing with a benign discovery configuration.

Detection guidance

Monitor ActiveMQ logs and Jolokia access logs for POST/GET requests to /api/jolokia/ containing "masterslave://" in the URI or request body, especially those targeting BrokerService.addNetworkConnector(). Look for unusual process execution spawned from the ActiveMQ JVM (child processes, outbound network connections, file writes). Network intrusion detection can flag attempts to reach external XML configuration repositories. Correlate authentication events with suspicious Jolokia API calls to identify lateral attack patterns. Review Tomcat or embedded web server logs for 403/401 responses followed by successful authentication attempts.

Why prioritize this

This vulnerability scores 8.1 (HIGH) because it combines authenticated remote code execution with high-impact consequences (confidentiality and integrity violation). The barrier to exploitation is moderate—authentication is required—but ActiveMQ deployments in enterprise messaging environments often have weaker perimeter controls, and compromised internal credentials are common. The attack surface is well-known (Jolokia on the web console), and exploitation is deterministic once credentials are obtained. Organizations should prioritize patching production ActiveMQ brokers within 30 days.

Risk score, explained

CVSS 3.1 score of 8.1 reflects: Network attack vector (immediate remote access), Low attack complexity (no special conditions beyond authentication), Low privileges required (standard user credentials sufficient), no user interaction, no scope change, and high impact on confidentiality and integrity (remote code execution). The score stops short of 9.0+ because the attack requires prior authentication; however, in environments with permissive credential management or internal compromise scenarios, this is a practical risk.

Frequently asked questions

Can an unauthenticated attacker exploit this vulnerability?

No. The Jolokia interface requires valid authentication credentials to invoke any operations, including the malicious exec command. However, if an attacker has compromised any internal credential or service account with access to the web console, or if default/weak credentials are in use, this protection is bypassed.

Does simply disabling the web console eliminate the risk?

Disabling the web console is the most effective mitigation before patching. If Jolokia is not needed for operational purposes, it can be removed or the endpoint can be access-controlled via firewall rules or authentication proxies. However, for environments that depend on Jolokia for management, patching is mandatory.

What should we do if we suspect our ActiveMQ broker was exploited?

Assume compromise of the broker and any data or systems it can access. Immediately isolate the broker from production traffic, preserve logs for forensics, rotate credentials for all services authenticating to the broker, scan for lateral movement to dependent systems, and review message broker audit logs for unauthorized operations. Engage your incident response team and consider third-party forensics if data exfiltration is suspected.

Are versions 5.18.x or earlier 6.x versions safe if we cannot upgrade immediately?

No. Only versions 5.19.7+ and 6.2.6+ contain the fix. Versions prior to these are vulnerable. If immediate patching is not possible, implement strict network access controls to the web console and enforce strong authentication, while planning an upgrade within your maintenance window.

This analysis is provided for informational purposes to assist security teams in understanding and prioritizing vulnerability response. It does not constitute legal, compliance, or operational advice. Organizations should verify all patch versions, affected system inventories, and compatibility requirements against official Apache ActiveMQ security advisories and their specific deployment configurations. SEC.co does not guarantee the accuracy of third-party vendor information. Always test patches in a non-production environment and consult your change management procedures before deploying security updates. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).