HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-42588Published Modified CNA apache

CVE-2026-42588: Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Remote Code Execution via Jolokia addNetworkConnector

Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String). An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter using the "masterslave:// " URL which can allow loading a Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6. Users are recommended to upgrade to version 5.19.7 or 6.2.6, which fixes the issue.

Metrics

CVSS v3.1
8.1
Severity
HIGH
Fixed in
5.19.7
Affected Products
3

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a code injection vulnerability in Apache ActiveMQ Classic. The attack is reachable over the network and requires a low-privilege authenticated account; no other interaction is needed. A successful attacker can execute arbitrary code on the broker's JVM, and read or modify application data. Patched-image rebuilds at versions 5.19.7 and 6.2.6 are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Apache ActiveMQ. Any image whose manifest includes an affected ActiveMQ version is flagged immediately.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 8.1 (HIGH) and applying per-environment compliance policy weighting to determine urgency and routing. Findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild at ActiveMQ 5.19.7 or 6.2.6 becomes available on HarborGuard for any image found to contain an affected version. For customers who opt into auto-remediation, HarborGuard runs a regression test suite against the rebuilt image and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The Jolokia endpoint is exposed over HTTP on the ActiveMQ web console, so the attacker must be able to reach the service across the network.

  • AuthenticationRequired

    Any low-privilege account with access to the ActiveMQ web console is sufficient; no administrative credentials are required.

  • Victim interactionNot required

    The attacker sends crafted requests directly to the Jolokia endpoint and no user action or social engineering is needed.

  • Attack complexityDetail

    The exploit is reliable and condition-free: invoking the addNetworkConnector MBean with a crafted URI consistently triggers Spring context loading and code execution without requiring race conditions or special memory layout.

Blast Radius

  • The attacker executes arbitrary operating-system commands on the broker's JVM host via Spring bean factory methods such as Runtime.exec().
  • Confidential data accessible to the ActiveMQ process, including messages, credentials, and configuration files, can be read and exfiltrated.
  • Persisted data reachable by the broker, such as queued messages and destination configurations, can be modified or deleted.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication for any scanned image containing an affected ActiveMQ version, including custom images. Where compliance policy permits auto-remediation, HarborGuard generates a rebuilt image at 5.19.7 or 6.2.6, runs a regression test pass, and opens a pull request against affected workloads; for HIGH-severity issues, the median time from CVE publication to a merged patch PR in auto-remediation-enabled environments is around 90 minutes. For environments where auto-remediation is not enabled, HarborGuard surfaces the finding with CVSS 8.1 scoring and routing to the responsible team. As a compensating control while patching is arranged, network policy can be used to restrict access to the ActiveMQ web console port to trusted internal IP ranges only, limiting exposure of the Jolokia endpoint.

See how HarborGuard automates this

Fix available

5.19.76.2.6
Affected packages
  • Apache Software Foundation / Apache ActiveMQ Broker
    < 5.19.7 (from 0) · < 6.2.6 (from 6.0.0)
  • Apache Software Foundation / Apache ActiveMQ All
    < 5.19.7 (from 0) · < 6.2.6 (from 6.0.0)
  • Apache Software Foundation / Apache ActiveMQ
    < 5.19.7 (from 0) · < 6.2.6 (from 6.0.0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
References