[oss-security] CVE-2026-45505: Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Jolokia `addNetworkConnector` Discovery Wrapper Bypass

Sun, 31 May 2026 10:06:43 -0700 

Severity: important 

Affected versions:

- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) before 5.19.7
- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 6.0.0 before 
6.2.6
- Apache ActiveMQ All (org.apache.activemq:activemq-all) before 5.19.7
- Apache ActiveMQ All (org.apache.activemq:activemq-all) 6.0.0 before 6.2.6
- Apache ActiveMQ (org.apache.activemq:apache-activemq) before 5.19.7
- Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.0.0 before 6.2.6

Description:

Improper Input Validation, Improper Control of Generation of Code ('Code 
Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, 
Apache ActiveMQ.


Non-parenthesized discovery wrappers such as `masterslave:vm://...,...`
and `static:vm://...` incorrectly pass validation allowing bypass of fix in 
CVE-2026-34197. 

Original description from CVE-2026-34197.

Apache ActiveMQ exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web 
console. The default Jolokia access policy permits exec operations on all 
ActiveMQ MBeans (org.apache.activemq:*), including 
BrokerService.addNetworkConnector(String) and 
BrokerService.addConnector(String). An authenticated attacker can invoke these 
operations with a crafted discovery UR that triggers the VM transport's 
brokerConfig parameter to load a remote Spring XML application context using 
ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext 
instantiates all singleton beans before the BrokerService validates the 
configuration, arbitrary code execution occurs on the broker's JVM through bean 
factory methods such as Runtime.exec(). 
This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before 
6.2.6; Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6; Apache 
ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6.

Users are recommended to upgrade to version 5.19.7 or 6.2.6, which fixes the 
issue.

Credit:

lokerxx (finder)

References:

https://nvd.nist.gov/vuln/detail/CVE-2026-34197
https://activemq.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-45505

Reply via email to