Critical Apache ActiveMQ Vulnerability Allows Malicious Security Header Injections

A critical vulnerability in Apache ActiveMQ has been disclosed, allowing attackers to inject malicious HTTP security headers through improperly handled message properties, potentially leading to cross-site scripting and response manipulation attacks in affected deployments.

Tracked as CVE-2026-42253, the issue impacts both Apache ActiveMQ and Apache ActiveMQ Web components.

The flaw originates from the MessageServlet within the ActiveMQ web console API, which copies all Java Message Service (JMS) message properties directly into HTTP response headers without applying validation or sanitization.

This behavior creates a dangerous attack surface that allows adversaries to craft JMS messages with malicious header values, resulting in HTTP response header injection.

Because HTTP headers play a critical role in enforcing browser-side security controls such as Content Security Policy (CSP), X-Frame-Options, and Strict-Transport-Security (HSTS), attackers can abuse this flaw to overwrite or inject headers that weaken security protections.

Apache ActiveMQ Vulnerability

In real-world scenarios, this could enable cross-site scripting (XSS), session hijacking, or clickjacking attacks, especially when the ActiveMQ web console is exposed to untrusted users or integrated into enterprise workflows.

The vulnerability affects Apache ActiveMQ versions before 5.19.7 and versions from 6.0.0 up to but not including 6.2.6. Similarly, Apache ActiveMQ Web versions before 5.19.7 and 6.x versions before 6.2.6 are also vulnerable.

The Apache Software Foundation has addressed the issue by disabling and deprecating the MessageServlet component in patched releases, significantly reducing the attack surface.

In parallel, another important flaw, CVE-2026-49157, has been identified in Apache ActiveMQ involving incorrect default permissions.

This vulnerability allows authenticated low-privilege users to retain access to Jolokia broker management endpoints.

Due to overly permissive default authorization settings, non-admin users could execute sensitive broker operations such as creating or deleting queues, actions typically restricted to administrative roles.

This flaw raises concerns about privilege escalation and unauthorized broker manipulation in multi-user environments.

Both vulnerabilities highlight systemic risks in management interfaces exposed via web consoles and APIs, particularly when input validation and access control mechanisms are insufficient.

Attackers targeting enterprise messaging systems could chain these issues to manipulate broker behavior while simultaneously weakening frontend security protections.

Security researchers Vishal Shukla, pyn3rd, uname, and 4ra1n were credited with discovering the header injection flaw. At the same time, Leon Johnson reported the Jolokia permission issue.

Organizations using Apache ActiveMQ are strongly advised to upgrade immediately to versions 5.19.7 or 6.2.6, as both vulnerabilities have been remediated in those versions.

Additionally, administrators should review the exposure of the ActiveMQ web console, restrict access to trusted networks, and audit message-handling logic for the unsafe propagation of user-controlled data into HTTP responses.

Given ActiveMQ’s widespread use in enterprise messaging and microservices architectures, these vulnerabilities pose a significant risk if left unpatched, particularly in environments where web console access is not tightly controlled.

Free Webinar on OWASP API Top 10 and Guide to Close Visibility Gaps With WAAP