This is an automated email from the ASF dual-hosted git repository.
cshannon pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/activemq-website.git
The following commit(s) were added to refs/heads/main by this push:
new bdf005a21 Add new CVE announcements
bdf005a21 is described below
commit bdf005a21fb9d37d8ba39de05b9e740de6da1f16
Author: Christopher L. Shannon <[email protected]>
AuthorDate: Mon Jun 29 15:05:38 2026 -0400
Add new CVE announcements
---
src/components/classic/security.md | 9 +++++++
.../CVE-2026-49432-announcement.txt | 31 ++++++++++++++++++++++
.../CVE-2026-49434-announcement.txt | 29 ++++++++++++++++++++
.../CVE-2026-49877-announcement.txt | 24 +++++++++++++++++
.../CVE-2026-50734-announcement.txt | 28 +++++++++++++++++++
.../CVE-2026-50750-announcement.txt | 24 +++++++++++++++++
.../CVE-2026-50760-announcement.txt | 26 ++++++++++++++++++
.../CVE-2026-53916-announcement.txt | 29 ++++++++++++++++++++
.../CVE-2026-53917-announcement.txt | 30 +++++++++++++++++++++
.../CVE-2026-54475-announcement.txt | 29 ++++++++++++++++++++
10 files changed, 259 insertions(+)
diff --git a/src/components/classic/security.md
b/src/components/classic/security.md
index 24222e7f3..c9d64cebc 100644
--- a/src/components/classic/security.md
+++ b/src/components/classic/security.md
@@ -9,6 +9,15 @@ Details of security problems fixed in released versions of
Apache ActiveMQ Class
See the main [Security Advisories](../../security-advisories) page for details
for other components and general information such as reporting new security
issues.
+*
[CVE-2026-54475](../../security-advisories.data/CVE-2026-54475-announcement.txt)
- Authenticated low-privilege Web users retain Jolokia broker-management
capability by default
+*
[CVE-2026-53917](../../security-advisories.data/CVE-2026-53917-announcement.txt)
- Authenticated low-privilege Web users retain Jolokia broker-management
capability by default
+*
[CVE-2026-53916](../../security-advisories.data/CVE-2026-49157-announcement.txt)
- Authenticated low-privilege Web users retain Jolokia broker-management
capability by default
+*
[CVE-2026-50760](../../security-advisories.data/CVE-2026-50760-announcement.txt)
- Authenticated low-privilege Web users retain Jolokia broker-management
capability by default
+*
[CVE-2026-50750](../../security-advisories.data/CVE-2026-50750-announcement.txt)
- Authenticated low-privilege Web users retain Jolokia broker-management
capability by default
+*
[CVE-2026-50734](../../security-advisories.data/CVE-2026-50734-announcement.txt)
- Authenticated low-privilege Web users retain Jolokia broker-management
capability by default
+*
[CVE-2026-49877](../../security-advisories.data/CVE-2026-49877-announcement.txt)
- Authenticated low-privilege Web users retain Jolokia broker-management
capability by default
+*
[CVE-2026-49434](../../security-advisories.data/CVE-2026-49434-announcement.txt)
- Authenticated low-privilege Web users retain Jolokia broker-management
capability by default
+*
[CVE-2026-49432](../../security-advisories.data/CVE-2026-49432-announcement.txt)
- Authenticated low-privilege Web users retain Jolokia broker-management
capability by default
*
[CVE-2026-49270](../../security-advisories.data/CVE-2026-49270-announcement.txt)
- Durable Subscription Disclosure via Crafted BrokerInfo (OpenWire)
*
[CVE-2026-49157](../../security-advisories.data/CVE-2026-49157-announcement.txt)
- Authenticated low-privilege Web users retain Jolokia broker-management
capability by default
*
[CVE-2026-46605](../../security-advisories.data/CVE-2026-46605-announcement.txt)
- Incomplete authorization during destination removal
diff --git a/src/security-advisories.data/CVE-2026-49432-announcement.txt
b/src/security-advisories.data/CVE-2026-49432-announcement.txt
new file mode 100644
index 000000000..a53910745
--- /dev/null
+++ b/src/security-advisories.data/CVE-2026-49432-announcement.txt
@@ -0,0 +1,31 @@
+Severity: important
+
+Affected versions:
+
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) before 5.19.8
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.0.0 before 6.2.7
+- Apache ActiveMQ All (org.apache.activemq:activemq-all) before 5.19.8
+- Apache ActiveMQ All (org.apache.activemq:activemq-all) 6.0.0 before 6.2.7
+- Apache ActiveMQ Stomp (org.apache.activemq:activemq-stomp) before 5.19.8
+- Apache ActiveMQ Stomp (org.apache.activemq:activemq-stomp) 6.0.0 before 6.2.7
+
+Description:
+
+Improper Input Validation vulnerability in Apache ActiveMQ, Apache ActiveMQ
All, Apache ActiveMQ Stomp.
+
+A remote unauthenticated peer that can reach an exposed STOMP connector can
trigger denial-of-service behavior by sending a negative content-length. For
the NIO STOMP transport, an attacker can keep streaming body bytes and grow the
per-connection command buffer beyond configured limits to cause OOM. For the
blocking STOMP protocol, an error will instead force abnormal transport
exception handling for the affected connection and closure.
+This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7;
Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ
Stomp: before 5.19.8, from 6.0.0 before 6.2.7.
+
+
+
+
+Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the
issue.
+
+Credit:
+
+Youngjoon Kim (finder)
+
+References:
+
+https://activemq.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2026-49432
diff --git a/src/security-advisories.data/CVE-2026-49434-announcement.txt
b/src/security-advisories.data/CVE-2026-49434-announcement.txt
new file mode 100644
index 000000000..9cc137058
--- /dev/null
+++ b/src/security-advisories.data/CVE-2026-49434-announcement.txt
@@ -0,0 +1,29 @@
+Severity: moderate
+
+Affected versions:
+
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) before 5.19.8
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 6.0.0 before
6.2.7
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) before 5.19.8
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.0.0 before 6.2.7
+- Apache ActiveMQ All (org.apache.activemq:activemq-all) before 5.19.8
+- Apache ActiveMQ All (org.apache.activemq:activemq-all) 6.0.0 before 6.2.7
+
+Description:
+
+Improper Input Validation vulnerability in Apache ActiveMQ Broker, Apache
ActiveMQ, Apache ActiveMQ All.
+
+An attacker that has access to publish or modify entries in LDAP that match
the configured searchBase and searchFilter can instantiate denied transports
inside the broker JVM. This can be used to fetch an attacker URL and spawn a
second BrokerService inside the same JVM.
+This issue affects Apache ActiveMQ Broker: before 5.19.8, from 6.0.0 before
6.2.7; Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ
All: before 5.19.8, from 6.0.0 before 6.2.7.
+
+
+Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the
issue.
+
+Credit:
+
+@Add Content (finder)
+
+References:
+
+https://activemq.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2026-49434
diff --git a/src/security-advisories.data/CVE-2026-49877-announcement.txt
b/src/security-advisories.data/CVE-2026-49877-announcement.txt
new file mode 100644
index 000000000..7f1c3a9ab
--- /dev/null
+++ b/src/security-advisories.data/CVE-2026-49877-announcement.txt
@@ -0,0 +1,24 @@
+Severity: important
+
+Affected versions:
+
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) before 5.19.8
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.0.0 before 6.2.7
+
+Description:
+
+Improper Authorization vulnerability in Apache ActiveMQ.
+
+An authenticated low-privilege Web Console user by default can access /admin/*
paths in the Web Console. The default Jetty settings incorrectly did not limit
those paths to only admins.
+This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7.
+
+Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the
issue.
+
+Credit:
+
+Leon Johnson (github: lokerxx) (finder)
+
+References:
+
+https://activemq.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2026-49877
diff --git a/src/security-advisories.data/CVE-2026-50734-announcement.txt
b/src/security-advisories.data/CVE-2026-50734-announcement.txt
new file mode 100644
index 000000000..5f4cc08a5
--- /dev/null
+++ b/src/security-advisories.data/CVE-2026-50734-announcement.txt
@@ -0,0 +1,28 @@
+Severity: important
+
+Affected versions:
+
+- Apache ActiveMQ Client (org.apache.activemq:activemq-client) before 5.19.8
+- Apache ActiveMQ Client (org.apache.activemq:activemq-client) 6.0.0 before
6.2.7
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) before 5.19.8
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.0.0 before 6.2.7
+- Apache ActiveMQ All (org.apache.activemq:activemq-all) before 5.19.8
+- Apache ActiveMQ All (org.apache.activemq:activemq-all) 6.0.0 before 6.2.7
+
+Description:
+
+Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ
Client, Apache ActiveMQ, Apache ActiveMQ All.
+
+An unauthenticated network attacker can cause a broker DoS by sending a
crafted WireFormatInfo frame with a malicious large size value. The value is
not validate and causes the broker to attempt allocation during pre-auth
negotiation which can trigger OOM and crash the broker.
+This issue affects Apache ActiveMQ Client: before 5.19.8, from 6.0.0 before
6.2.7; Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ
All: before 5.19.8, from 6.0.0 before 6.2.7.
+
+Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the
issue.
+
+Credit:
+
+Andrej Tomci (finder)
+
+References:
+
+https://activemq.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2026-50734
diff --git a/src/security-advisories.data/CVE-2026-50750-announcement.txt
b/src/security-advisories.data/CVE-2026-50750-announcement.txt
new file mode 100644
index 000000000..ca1652d77
--- /dev/null
+++ b/src/security-advisories.data/CVE-2026-50750-announcement.txt
@@ -0,0 +1,24 @@
+Severity: important
+
+Affected versions:
+
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 5.19.7 before
5.19.8
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 6.2.6 before
6.2.7
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) 5.19.7 before 5.19.8
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.2.6 before 6.2.7
+- Apache ActiveMQ All (org.apache.activemq:activemq-all) 5.19.7 before 5.19.8
+- Apache ActiveMQ All (org.apache.activemq:activemq-all) 6.2.6 before 6.2.7
+
+Description:
+
+Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Broker,
Apache ActiveMQ, Apache ActiveMQ All.
+
+Following the fix for CVE-2026-49270 an unauthenticated attacker can now
cause broker OOM by sending an repeated BrokerInfo commands without sending a
ConnectionInfo, until the broker will crash with OOM.
+This issue affects Apache ActiveMQ Broker: from 5.19.7 before 5.19.8, from
6.2.6 before 6.2.7; Apache ActiveMQ: from 5.19.7 before 5.19.8, from 6.2.6
before 6.2.7; Apache ActiveMQ All: from 5.19.7 before 5.19.8, from 6.2.6 before
6.2.7.
+
+Users are recommended to upgrade to version 6.2.7, which fixes the issue.
+
+References:
+
+https://activemq.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2026-50750
diff --git a/src/security-advisories.data/CVE-2026-50760-announcement.txt
b/src/security-advisories.data/CVE-2026-50760-announcement.txt
new file mode 100644
index 000000000..b5322d965
--- /dev/null
+++ b/src/security-advisories.data/CVE-2026-50760-announcement.txt
@@ -0,0 +1,26 @@
+Severity: moderate
+
+Affected versions:
+
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) before 5.19.8
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.0.0 before 6.2.7
+- Apache ActiveMQ Web Console (org.apache.activemq:apache-web-console) before
5.19.8
+- Apache ActiveMQ Web Console (org.apache.activemq:apache-web-console) 6.0.0
before 6.2.7
+
+Description:
+
+Improper Neutralization of Input During Web Page Generation ('Cross-site
Scripting') vulnerability in Apache ActiveMQ, Apache ActiveMQ Web Console.
+
+The browse page in the web console renders a message Id directly without
sanitization. This allows an authenticated producer to send a message with a
JMS message ID that has been crafted to contain HTML/JavaScript such that when
an administrator browses the queue in the Web Console, the payload executes in
their browser.
+This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7;
Apache ActiveMQ Web Console: before 5.19.8, from 6.0.0 before 6.2.7.
+
+Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the
issue.
+
+Credit:
+
+Biswajeet Ray (finder)
+
+References:
+
+https://activemq.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2026-52760
diff --git a/src/security-advisories.data/CVE-2026-53916-announcement.txt
b/src/security-advisories.data/CVE-2026-53916-announcement.txt
new file mode 100644
index 000000000..1396d4335
--- /dev/null
+++ b/src/security-advisories.data/CVE-2026-53916-announcement.txt
@@ -0,0 +1,29 @@
+Severity: important
+
+Affected versions:
+
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) before 5.19.8
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.0.0 before 6.2.7
+- Apache ActiveMQ All (org.apache.activemq:activemq-all) before 5.19.8
+- Apache ActiveMQ All (org.apache.activemq:activemq-all) 6.0.0 before 6.2.7
+- Apache ActiveMQ Stomp (org.apache.activemq:activemq-stomp) before 5.19.8
+- Apache ActiveMQ Stomp (org.apache.activemq:activemq-stomp) 6.0.0 before 6.2.7
+
+Description:
+
+Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ,
Apache ActiveMQ All, Apache ActiveMQ Stomp.
+
+
+An unauthenticated client that opens a STOMP NIO connection can send header
bytes that never terminate which makes the broker buffer them without limit,
exhausting the JVM heap.
+This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7;
Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ
Stomp: before 5.19.8, from 6.0.0 before 6.2.7.
+
+Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the
issue.
+
+Credit:
+
+tonghuaroot (finder)
+
+References:
+
+https://activemq.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2026-53916
diff --git a/src/security-advisories.data/CVE-2026-53917-announcement.txt
b/src/security-advisories.data/CVE-2026-53917-announcement.txt
new file mode 100644
index 000000000..ef7f71f09
--- /dev/null
+++ b/src/security-advisories.data/CVE-2026-53917-announcement.txt
@@ -0,0 +1,30 @@
+Severity: important
+
+Affected versions:
+
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) before 5.19.8
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.0.0 before 6.2.7
+- Apache ActiveMQ All (org.apache.activemq:activemq-all) before 5.19.8
+- Apache ActiveMQ All (org.apache.activemq:activemq-all) 6.0.0 before 6.2.7
+- Apache ActiveMQ Client (org.apache.activemq:activemq-client) before 5.19.8
+- Apache ActiveMQ Client (org.apache.activemq:activemq-client) 6.0.0 before
6.2.7
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) before 5.19.8
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 6.0.0 before
6.2.7
+
+Description:
+
+Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ,
Apache ActiveMQ All, Apache ActiveMQ Client, Apache ActiveMQ Broker.
+
+An authenticated user can cause a broker DoS by sending a crafted OpenWire
Message with a large encoded size value for the map. OpenWire message property
maps are unmarshaled without size validation which can trigger OOM and crash
the broker.
+This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7;
Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ
Client: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ Broker: before
5.19.8, from 6.0.0 before 6.2.7.
+
+Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the
issue.
+
+Credit:
+
+tonghuaroot (finder)
+
+References:
+
+https://activemq.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2026-53917
diff --git a/src/security-advisories.data/CVE-2026-54475-announcement.txt
b/src/security-advisories.data/CVE-2026-54475-announcement.txt
new file mode 100644
index 000000000..debd90c34
--- /dev/null
+++ b/src/security-advisories.data/CVE-2026-54475-announcement.txt
@@ -0,0 +1,29 @@
+Severity: important
+
+Affected versions:
+
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) before 5.19.8
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 6.0.0 before
6.2.7
+- Apache ActiveMQ All (org.apache.activemq:activemq-all) before 5.19.8
+- Apache ActiveMQ All (org.apache.activemq:activemq-all) 6.0.0 before 6.2.7
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) before 5.19.8
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.0.0 before 6.2.7
+
+Description:
+
+Missing Authorization vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ
All, Apache ActiveMQ.
+
+Apache ActiveMQ Classic temporary destinations are expected to be isolated to
the connection that created them. The isolation can be broken as this is only
checked in the client, allowing a different connection to consume from another
connection's temporary
+destination.
+This issue affects Apache ActiveMQ Broker: before 5.19.8, from 6.0.0 before
6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache
ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7.
+
+Users are recommended to upgrade to version 6.2.7, which fixes the issue.
+
+Credit:
+
+Leon Johnson (github: lokerxx) (finder)
+
+References:
+
+https://activemq.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2026-54475
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information, visit: https://activemq.apache.org/contact