CVE-2026-45505: Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Jolokia `addNetworkConnector` Discovery Wrapper Bypass
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. Non-parenthesized discovery wrappers such as `masterslave:vm://...,...` and `static:vm://...` incorrectly pass validation allowing bypass of fix in CVE-2026-34197. Original description from CVE-2026-34197. Apache ActiveMQ exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). An authenticated attacker can invoke these operations with a crafted discovery UR that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6. Users are recommended to upgrade to version 5.19.7 or 6.2.6, which fixes the issue.
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- 5.19.7
- Affected Products
- 3
HarborGuard Analysis
Synopsis
A code injection vulnerability in Apache ActiveMQ allows an authenticated attacker to achieve remote code execution on the broker's JVM. The attack is reachable over the network through the Jolokia JMX-HTTP bridge exposed on the ActiveMQ web console, and requires only a low-privilege account. By invoking broker MBean operations with a crafted discovery URI, an attacker can load a remote Spring XML application context and execute arbitrary OS commands through bean factory methods. Patched-image rebuilds at versions 5.19.7 and 6.2.6 are available on HarborGuard for affected environments.
HarborGuard Coverage
Detection of CVE-2026-45505 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI pipelines within minutes of publication. Coverage includes custom-built images that bundle Apache ActiveMQ, regardless of base image or distribution.
AvailableHarborGuard scores this CVE at CVSS 8.8 HIGH and applies each customer organization's compliance policy weighting to prioritize the finding in the right team's queue. Triage metadata, including the affected package version range and Jolokia attack surface context, is surfaced alongside the alert.
AvailableA patched-image rebuild at ActiveMQ 5.19.7 or 6.2.6 (depending on the version branch in use) becomes available through HarborGuard for environments running an affected version. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs regression tests, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the ActiveMQ web console over the network to invoke the Jolokia JMX-HTTP bridge at /api/jolokia/.
- AuthenticationRequired
A valid account is required, but any low-privilege credential is sufficient to invoke the targeted MBean exec operations.
- Victim interactionNot required
No user interaction is needed; the attacker invokes the Jolokia endpoint directly without involving any other user.
- Attack complexityDetail
The exploit is reliable and condition-free once network access and a low-privilege account are in hand, requiring no race conditions or special environmental setup.
Blast Radius
- The attacker executes arbitrary OS commands on the broker's JVM, giving full control over the ActiveMQ process and the host account it runs under.
- All data transiting the broker, including message payloads and credentials stored in the broker configuration, is readable by the attacker.
- The attacker can modify or delete messages, queues, topics, and broker configuration, corrupting any workload that depends on the message bus.
- The attacker can crash or permanently disable the broker, cutting off all messaging traffic routed through the affected ActiveMQ instance.
How HarborGuard Handles This
Available on HarborGuard: images containing Apache ActiveMQ below version 5.19.7 (5.x branch) or below 6.2.6 (6.x branch) are flagged automatically within minutes of the CVE entering upstream advisory feeds. For customers who opt into auto-remediation, HarborGuard rebuilds the image at the applicable fix version, runs a regression test suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image and a prioritized finding are routed to the team inbox for review. Given that this vulnerability bypasses a prior input-validation fix (CVE-2026-34197), customers who have not yet upgraded should consider applying a network policy to restrict access to the ActiveMQ web console port, and disabling or restricting Jolokia exec permissions via the Jolokia access policy file as a compensating control while the upgrade is staged.
Fix available
- Apache Software Foundation / Apache ActiveMQ Broker< 5.19.7 (from 0) · < 6.2.6 (from 6.0.0)
- Apache Software Foundation / Apache ActiveMQ All< 5.19.7 (from 0) · < 6.2.6 (from 6.0.0)
- Apache Software Foundation / Apache ActiveMQ< 5.19.7 (from 0) · < 6.2.6 (from 6.0.0)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H