CVE-2026-45505: Apache ActiveMQ Code Injection Vulnerability—Exploit & Patch Guidance
Apache ActiveMQ contains a code injection vulnerability that allows authenticated attackers to execute arbitrary code on the broker. The issue stems from improper validation of discovery wrapper URLs—specifically non-parenthesized formats like `masterslave:vm://...` and `static:vm://`—which bypass a previous security fix. An attacker with valid credentials can exploit the Jolokia JMX-HTTP bridge to load malicious Spring XML configurations, leading to remote code execution with broker privileges.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-20, CWE-94
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. Non-parenthesized discovery wrappers such as `masterslave:vm://...,...` and `static:vm://...` incorrectly pass validation allowing bypass of fix in CVE-2026-34197. Original description from CVE-2026-34197. Apache ActiveMQ exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). An authenticated attacker can invoke these operations with a crafted discovery UR that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6. Users are recommended to upgrade to version 5.19.7 or 6.2.6, which fixes the issue.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-45505 is a code injection vulnerability in Apache ActiveMQ's Jolokia bridge. The vulnerability chains improper input validation (CWE-20) with unsafe code generation (CWE-94). Unauthenticated access to Jolokia is restricted, but authenticated users can invoke BrokerService.addNetworkConnector() or BrokerService.addConnector() with crafted discovery URLs that bypass validation. When the VM transport processes these URLs with the brokerConfig parameter, Spring's ResourceXmlApplicationContext loads remote XML files and instantiates all singleton beans before broker-side validation occurs. Malicious beans leverage Spring factory methods—such as those invoking Runtime.exec()—to achieve arbitrary code execution in the broker JVM. The vulnerability affects ActiveMQ versions before 5.19.7 and 6.0.0–6.2.5.
Business impact
Exploitation grants attackers the ability to run arbitrary code with the privileges of the ActiveMQ broker process. In many deployments, this translates to lateral movement opportunities, data exfiltration, message tampering, denial of service, or pivot points into backend systems. The attack requires prior authentication, reducing opportunistic exploitation but elevating insider threat risk and the impact of credential compromise. Organizations relying on ActiveMQ for critical messaging infrastructure face potential disruption and data integrity loss.
Affected systems
Apache ActiveMQ Broker versions before 5.19.7 and from 6.0.0 before 6.2.6 are vulnerable. The advisory covers Apache ActiveMQ Broker, Apache ActiveMQ All, and the base Apache ActiveMQ product line across these version ranges. Users on 5.19.7, 6.2.6, or later are protected.
Exploitability
Exploitation requires valid broker credentials (Jolokia authentication). The attack is network-accessible with low attack complexity—no special tooling or user interaction is needed beyond crafting a malicious discovery URL. The CVSS 3.1 score of 8.8 (HIGH) reflects the combination of network access, low complexity, and high impact across confidentiality, integrity, and availability. However, the authentication requirement moderates the practical risk in hardened environments with strong credential controls.
Remediation
Upgrade immediately to Apache ActiveMQ 5.19.7 or 6.2.6 or later. These versions fix the validation bypass by properly rejecting non-parenthesized discovery wrapper formats. If immediate patching is not feasible, restrict Jolokia access through network segmentation, firewall rules, or reverse proxy configurations to limit exposure to trusted administrative networks only.
Patch guidance
Apache ActiveMQ 5.19.7 and 6.2.6 contain the fixes. Apply these versions or any later release. Verify the patch against the official Apache ActiveMQ security advisory to ensure your build includes the discovery wrapper validation improvements. Test in a staging environment before production deployment to confirm compatibility with custom configurations and dependent applications.
Detection guidance
Monitor for HTTP POST requests to `/api/jolokia/` endpoints containing discovery wrapper patterns such as `masterslave:vm://` or `static:vm://` in the request body. Log and alert on invocations of BrokerService.addNetworkConnector() or BrokerService.addConnector() operations via Jolokia. Examine broker logs for Spring context loading errors or unexpected bean instantiation. Network detection should flag outbound connections from ActiveMQ brokers to external XML resources. Review Jolokia access logs for anomalous authenticated user activity, especially from service accounts or during off-hours.
Why prioritize this
HIGH priority due to the 8.8 CVSS score, code execution capability, and the ease of exploitation once credentials are obtained. Organizations should prioritize patching in the sequence: production messaging brokers handling sensitive data, development environments with shared credentials, and lower-risk test systems. The authentication requirement provides a partial natural barrier, but compromised credentials or insider threats elevate urgency.
Risk score, explained
The CVSS 3.1 score of 8.8 reflects a network-accessible attack (AV:N) with low complexity (AC:L), requiring authentication (PR:L), no user interaction (UI:N), single system scope (S:U), and complete compromise of confidentiality, integrity, and availability (C:H/I:H/A:H). While the authentication requirement prevents unauthenticated exploitation, the severity remains high because valid credentials can be obtained through phishing, insider access, or previous compromises. The impact is not limited to information disclosure; attackers gain full code execution.
Frequently asked questions
Does this vulnerability require network access to the ActiveMQ web console, or can it be exploited through other interfaces?
Exploitation specifically targets the Jolokia JMX-HTTP bridge exposed at `/api/jolokia/` on the web console. It is not exploitable through pure JMX ports or other ActiveMQ interfaces. Restricting HTTP access to the web console to trusted networks significantly reduces risk.
What is the difference between CVE-2026-45505 and CVE-2026-34197?
CVE-2026-34197 was a previous code injection vulnerability in ActiveMQ that was partially mitigated. CVE-2026-45505 is a bypass of that mitigation: the non-parenthesized discovery wrapper formats (`masterslave:vm://` and `static:vm://`) were not properly validated, allowing attackers to circumvent the earlier fix. Both require patching to versions 5.19.7 or 6.2.6.
If we use strong network controls and do not expose Jolokia to untrusted networks, are we still at risk?
Segmentation significantly reduces risk, but you are not eliminated from danger if an insider, compromised service account, or lateral movement attack provides authenticated access to the web console. Additionally, misconfigurations can accidentally expose interfaces. Patching remains the definitive mitigation; segmentation is a defense-in-depth layer.
Are there any workarounds if we cannot patch immediately?
Restrict Jolokia access using firewall rules, reverse proxy authentication, and network segmentation to trusted administrative hosts only. Disable the web console entirely if not needed, or use a load balancer to require additional authentication layers. Monitor closely for suspicious Jolokia activity. These are temporary measures; patching should proceed as soon as feasible.
This analysis is based on public CVE data and the Apache ActiveMQ security advisory as of the modification date. Security landscapes evolve; always consult the latest vendor advisory and your own threat modeling for your environment. SEC.co does not provide legal, compliance, or specific remediation guarantees. Testing patches in staging is mandatory before production deployment. This analysis does not constitute professional security advice; engage qualified security personnel for your organization's risk decisions. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-42588HIGHApache ActiveMQ Remote Code Execution via Jolokia Code Injection
- CVE-2026-10904HIGHChrome V8 Sandbox Escape Remote Code Execution
- CVE-2025-22424HIGHAndroid Local Privilege Escalation via Image Disclosure
- CVE-2026-0078HIGHAndroid Privilege Escalation via DevicePolicyManagerService Desync
- CVE-2026-10020HIGHChrome Android Sandbox Escape via Skia Input Validation Flaw
- CVE-2026-10021HIGHGoogle Chrome USB Validation Flaw – RCE Vulnerability Patch
- CVE-2026-10863HIGHMISP Correlations Query Ordering Vulnerability (CVSS 8.1)
- CVE-2026-10911HIGHChrome Sandbox Escape Vulnerability (High Severity)