Apache ActiveMQ Critical Vulnerabilities Allow DoS Attacks, System Crashes
Key Takeaways Apache has disclosed three critical vulnerabilities impacting ActiveMQ, ActiveMQ All, ActiveMQ Client, and ActiveMQ Broker. The flaws, identified as CVE-2026-53917, CVE-2026-54475, and...
Key Takeaways
- Apache has disclosed three critical vulnerabilities impacting ActiveMQ, ActiveMQ All, ActiveMQ Client, and ActiveMQ Broker.
- The flaws, identified as CVE-2026-53917, CVE-2026-54475, and CVE-2026-49877, could lead to denial-of-service, unauthorized access, and broken message isolation.
- Affected versions include Apache ActiveMQ before 5.19.8 and from 6.0.0 before 6.2.7.
- Immediate upgrades to ActiveMQ 5.19.8 or 6.2.7 are strongly recommended to mitigate these risks.
Apache ActiveMQ Vulnerabilities Detailed
The Apache Software Foundation has issued an urgent advisory for users of its ActiveMQ messaging platform, revealing three significant vulnerabilities that could expose deployments to severe security risks, including denial-of-service (DoS) attacks, compromised message isolation, and unauthorized administrative access. These issues span both the 5.x and 6.x branches of the software and necessitate immediate patching to secure messaging infrastructure.
Table Of Content
CVE-2026-53917: Memory Allocation with Excessive Size Value
A critical memory allocation flaw, tracked as CVE-2026-53917, affects various components including Apache ActiveMQ, ActiveMQ All, ActiveMQ Client, and ActiveMQ Broker. This vulnerability arises from the improper handling of OpenWire message property maps during unmarshalling.
An authenticated attacker can exploit this weakness by transmitting a specially crafted OpenWire message containing an excessively large encoded map size. The ActiveMQ broker, lacking sufficient validation for this size parameter, will attempt to allocate a disproportionately large amount of memory. This can quickly deplete available system resources, leading to an out-of-memory (OOM) condition and causing the broker to crash. Such a crash effectively results in a denial-of-service for all applications relying on that particular messaging instance.
This vulnerability impacts Apache ActiveMQ versions prior to 5.19.8 and versions from 6.0.0 up to, but not including, 6.2.7. Environments heavily utilizing OpenWire clients are particularly susceptible, as a single compromised or malicious client could reliably disrupt the entire broker service.
CVE-2026-54475: Missing Authorization in Temporary Destinations
Another significant vulnerability, CVE-2026-54475, has been identified as a “Missing Authorization” flaw impacting Apache ActiveMQ Broker, ActiveMQ All, and ActiveMQ Classic. This issue concerns the isolation of temporary destinations.
In ActiveMQ Classic, temporary queues and topics are designed to be exclusive to the connection that creates them, meaning only that specific connection should be able to consume messages from its temporary destination. However, the enforcement of this isolation was primarily client-side. The broker itself failed to fully verify the ownership of these temporary destinations. Consequently, a different, unauthorized connection could potentially consume messages from another connection’s temporary queue or topic.
This breakdown in isolation allows for unauthorized access to transient message flows, posing a risk of data leakage or unintended cross-tenant access in multi-tenant or shared messaging environments. The vulnerability affects ActiveMQ Broker, All, and core ActiveMQ versions 5.19.8 and earlier, as well as versions from 6.0.0 through 6.2.7.
CVE-2026-49877: Improper Authorization in Web Console
Lastly, CVE-2026-49877, an “Improper Authorization” vulnerability, has been discovered in the Apache ActiveMQ Web Console. The root cause lies in an insecure default configuration of the underlying Jetty server.
By default, the Jetty settings did not adequately restrict access to administrative paths under `/admin/*` to users with appropriate administrative roles. This oversight meant that authenticated users with low-privilege Web Console accounts could, by default, gain access to critical administrative functionalities. A low-privileged user could authenticate to the Web Console and then navigate to these administrative endpoints, potentially altering settings or using the management interface as a pivot point for further unauthorized actions.
This vulnerability affects Apache ActiveMQ versions before 5.19.8 and from 6.0.0 before 6.2.7. It is of particular concern for deployments that expose the Web Console for day-to-day operational management.
What You Should Do
Apache strongly advises all organizations running affected versions of ActiveMQ to implement the following mitigation steps immediately:
- Upgrade Immediately: Update your Apache ActiveMQ deployments to version 5.19.8 or 6.2.7. These releases incorporate strict size validation for OpenWire property maps, enforce server-side ownership checks for temporary destinations, and correct the default authorization behavior in the Web Console to restrict `/admin/*` paths to legitimate administrative users.
- Restrict Network Access: Limit network exposure for both ActiveMQ brokers and the Web Console. Implement firewall rules to ensure that only trusted hosts and users can access these critical components.
- Audit Roles and Permissions: Regularly review and audit user roles and permissions within ActiveMQ and the Web Console to ensure that the principle of least privilege is strictly enforced. Remove any unnecessary administrative access.
- Monitor for Anomalies: Implement robust monitoring for unusual memory usage patterns, unexpected broker crashes, and any suspicious or unauthorized access attempts to the messaging infrastructure.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.