Multiple Apache ActiveMQ Vulnerabilities Enable DoS Attacks and Lead to Crashes

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

Apache ActiveMQ users are advised to urgently update their deployments after three important vulnerabilities were disclosed, exposing messaging infrastructure to denial-of-service (DoS) attacks, broken isolation, and improper authorization risks.

The issues, tracked as CVE-2026-53917, CVE-2026-54475, and CVE-2026-49877, affect core components across both the 5.x and 6.x branches and can lead to broker crashes and unauthorized access if left unpatched.

CVE-2026-53917 is a “Memory Allocation with Excessive Size Value” vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Client, and Apache ActiveMQ Broker.

The flaw resides in how OpenWire message property maps are unmarshalled. When an authenticated user sends a crafted OpenWire message with a very large encoded map size, the broker attempts to allocate memory without validating the size.

Because there is no upper-bound check on these properties, the broker can quickly hit an out-of-memory (OOM) condition, causing it to crash and resulting in a DoS for any applications depending on that messaging infrastructure.

This vulnerability affects Apache ActiveMQ before 5.19.8 and from 6.0.0 before 6.2.7, including the All, Client, and Broker artifacts in the same version ranges.

Apache ActiveMQ Vulnerabilities

Environments that rely on OpenWire clients are particularly exposed, as a single malicious or compromised client can reliably take down the broker.

CVE-2026-54475 is a “Missing Authorization” vulnerability affecting Apache ActiveMQ Broker, Apache ActiveMQ All, and Apache ActiveMQ.

In ActiveMQ Classic, temporary destinations are designed to be isolated to the connection that created them, so only that connection can consume messages from its temporary queue or topic.

However, this isolation was enforced only in the client logic. The broker did not fully verify ownership, which means a different connection can consume messages from another connection’s temporary destination.

This breaks the expected isolation model and allows unauthorized access to transient message flows. This issue also affects Broker, All, and core ActiveMQ versions 5.19.8 and earlier, as well as 6.0.0 through 6.2.7.

In multi-tenant or shared messaging environments, this weakness can enable data leakage or unintended cross-tenant access if attackers can establish separate connections to the same broker.

CVE-2026-49877 is an “Improper Authorization” vulnerability in the Apache ActiveMQ Web Console. Due to an insecure default Jetty configuration, authenticated low-privilege Web Console users can, by default, access administrative paths under /admin/*.

The default Jetty settings did not restrict these admin endpoints only to users with administrative roles, effectively granting elevated access to non-admin accounts.

A low-privileged user who authenticates to the Web Console can therefore reach critical administrative functions, change settings, or further pivot from the management interface.

Like the other issues, CVE-2026-49877 affects Apache ActiveMQ before 5.19.8 and from 6.0.0 before 6.2.7. This makes it a significant concern for deployments that expose the Web Console for operational use.

Apache recommends that all affected users upgrade immediately to ActiveMQ 6.2.7 or 5.19.8.

These releases introduce strict size validation for OpenWire property maps, enforce server-side ownership checks for temporary destinations, and correct default authorization behavior in the Web Console so that /admin/* paths are limited to true administrative users.

Alongside patching, organizations should restrict network access to brokers and consoles, audit roles and permissions, and monitor for abnormal memory usage, unexpected broker crashes, and unauthorized access attempts.

 Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.