GHSA-w3w2-mpp5-92gm

Source

https://github.com/advisories/GHSA-w3w2-mpp5-92gm

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-w3w2-mpp5-92gm/GHSA-w3w2-mpp5-92gm.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-w3w2-mpp5-92gm

Aliases

BIT-activemq-2026-40466
CVE-2026-40466

Related

CGA-3rgm-946g-m52h

Published

2026-04-24T12:30:27Z

Modified

2026-05-14T17:44:15.576787136Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Apache ActiveMQ Vulnerable to Improper Input Validation and Code Injection

Details

Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ.

An authenticated attacker may bypass the fix in CVE-2026-34197 by adding a connector using an HTTP Discovery transport via BrokerView.addNetworkConnector or BrokerView.addConnector through Jolokia if the activemq-http module is on the classpath. A malicious HTTP endpoint can return a VM transport through the HTTP URI which will bypass the validation added in CVE-2026-34197. The attacker can then use the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec().

This issue affects Apache ActiveMQ Broker: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ All: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5.

Users are recommended to upgrade to version 5.19.6 or 6.2.5, which fixes the issue.

Database specific

{
    "nvd_published_at": "2026-04-24T11:16:22Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-20",
        "CWE-94"
    ],
    "github_reviewed_at": "2026-05-05T00:09:59Z"
}

References

Affected packages

Maven

org.apache.activemq:apache-activemq

Package

Name: org.apache.activemq:apache-activemq; View open source insights on deps.dev
Purl: pkg:maven/org.apache.activemq/apache-activemq

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.19.6

Affected versions

4.*

4.1.1

4.1.2

5.*

5.0.0

5.1.0

5.2.0

5.3.0

5.3.1

5.3.2

5.4.0

5.4.1

5.4.2

5.4.3

5.5.0

5.5.1

5.6.0

5.7.0

5.8.0

5.9.0

5.9.1

5.10.0

5.10.1

5.10.2

5.11.0

5.11.1

5.11.2

5.11.3

5.11.4

5.12.0

5.12.1

5.12.2

5.12.3

5.13.0

5.13.1

5.13.2

5.13.3

5.13.4

5.13.5

5.14.0

5.14.1

5.14.2

5.14.3

5.14.4

5.14.5

5.15.0

5.15.1

5.15.2

5.15.3

5.15.4

5.15.5

5.15.6

5.15.7

5.15.8

5.15.9

5.15.10

5.15.11

5.15.12

5.15.13

5.15.14

5.15.15

5.15.16

5.16.0

5.16.1

5.16.2

5.16.3

5.16.4

5.16.5

5.16.6

5.16.7

5.16.8

5.17.0

5.17.1

5.17.2

5.17.3

5.17.4

5.17.5

5.17.6

5.17.7

5.18.0

5.18.1

5.18.2

5.18.3

5.18.4

5.18.5

5.18.6

5.18.7

5.19.0

5.19.1

5.19.2

5.19.3

5.19.4

5.19.5

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-w3w2-mpp5-92gm/GHSA-w3w2-mpp5-92gm.json"

org.apache.activemq:activemq-all

Package

Name: org.apache.activemq:activemq-all; View open source insights on deps.dev
Purl: pkg:maven/org.apache.activemq/activemq-all

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.19.6

Affected versions

4.*

4.1.2

5.*

5.0.0

5.1.0

5.2.0

5.3.0

5.3.1

5.3.2

5.4.0

5.4.1

5.4.2

5.4.3

5.5.0

5.5.1

5.6.0

5.7.0

5.8.0

5.9.0

5.9.1

5.10.0

5.10.1

5.10.2

5.11.0

5.11.1

5.11.2

5.11.3

5.11.4

5.12.0

5.12.1

5.12.2

5.12.3

5.13.0

5.13.1

5.13.2

5.13.3

5.13.4

5.13.5

5.14.0

5.14.1

5.14.2

5.14.3

5.14.4

5.14.5

5.15.0

5.15.1

5.15.2

5.15.3

5.15.4

5.15.5

5.15.6

5.15.7

5.15.8

5.15.9

5.15.10

5.15.11

5.15.12

5.15.13

5.15.14

5.15.15

5.15.16

5.16.0

5.16.1

5.16.2

5.16.3

5.16.4

5.16.5

5.16.6

5.16.7

5.16.8

5.17.0

5.17.1

5.17.2

5.17.3

5.17.4

5.17.5

5.17.6

5.17.7

5.18.0

5.18.1

5.18.2

5.18.3

5.18.4

5.18.5

5.18.6

5.18.7

5.19.0

5.19.1

5.19.2

5.19.3

5.19.4

5.19.5

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-w3w2-mpp5-92gm/GHSA-w3w2-mpp5-92gm.json"

org.apache.activemq:activemq-broker

Package

Name: org.apache.activemq:activemq-broker; View open source insights on deps.dev
Purl: pkg:maven/org.apache.activemq/activemq-broker

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.19.6

Affected versions

5.*

5.8.0

5.9.0

5.9.1

5.10.0

5.10.1

5.10.2

5.11.0

5.11.1

5.11.2

5.11.3

5.11.4

5.12.0

5.12.1

5.12.2

5.12.3

5.13.0

5.13.1

5.13.2

5.13.3

5.13.4

5.13.5

5.14.0

5.14.1

5.14.2

5.14.3

5.14.4

5.14.5

5.15.0

5.15.1

5.15.2

5.15.3

5.15.4

5.15.5

5.15.6

5.15.7

5.15.8

5.15.9

5.15.10

5.15.11

5.15.12

5.15.13

5.15.14

5.15.15

5.15.16

5.16.0

5.16.1

5.16.2

5.16.3

5.16.4

5.16.5

5.16.6

5.16.7

5.16.8

5.17.0

5.17.1

5.17.2

5.17.3

5.17.4

5.17.5

5.17.6

5.17.7

5.18.0

5.18.1

5.18.2

5.18.3

5.18.4

5.18.5

5.18.6

5.18.7

5.19.0

5.19.1

5.19.2

5.19.3

5.19.4

5.19.5

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-w3w2-mpp5-92gm/GHSA-w3w2-mpp5-92gm.json"

org.apache.activemq:apache-activemq

Package

Name: org.apache.activemq:apache-activemq; View open source insights on deps.dev
Purl: pkg:maven/org.apache.activemq/apache-activemq

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.0.0

Fixed

6.2.5

Affected versions

6.*

6.0.0

6.0.1

6.1.0

6.1.1

6.1.2

6.1.3

6.1.4

6.1.5

6.1.6

6.1.7

6.1.8

6.2.0

6.2.1

6.2.2

6.2.3

6.2.4

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-w3w2-mpp5-92gm/GHSA-w3w2-mpp5-92gm.json"

org.apache.activemq:activemq-all

Package

Name: org.apache.activemq:activemq-all; View open source insights on deps.dev
Purl: pkg:maven/org.apache.activemq/activemq-all

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.0.0

Fixed

6.2.5

Affected versions

6.*

6.0.0

6.0.1

6.1.0

6.1.1

6.1.2

6.1.3

6.1.4

6.1.5

6.1.6

6.1.7

6.1.8

6.2.0

6.2.1

6.2.2

6.2.3

6.2.4

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-w3w2-mpp5-92gm/GHSA-w3w2-mpp5-92gm.json"

org.apache.activemq:activemq-broker

Package

Name: org.apache.activemq:activemq-broker; View open source insights on deps.dev
Purl: pkg:maven/org.apache.activemq/activemq-broker

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.0.0

Fixed

6.2.5

Affected versions

6.*

6.0.0

6.0.1

6.1.0

6.1.1

6.1.2

6.1.3

6.1.4

6.1.5

6.1.6

6.1.7

6.1.8

6.2.0

6.2.1

6.2.2

6.2.3

6.2.4

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-w3w2-mpp5-92gm/GHSA-w3w2-mpp5-92gm.json"