CVE-2026-40466— Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Possible bypass of CVE-2026-34197 via HTTP discovery second-stage URI
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-40466
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Possible bypass of CVE-2026-34197 via HTTP discovery second-stage URI
Source: NVD (National Vulnerability Database)
Vulnerability Description
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. An authenticated attacker may bypass the fix in CVE-2026-34197 by adding a connector using an HTTP Discovery transport via BrokerView.addNetworkConnector or BrokerView.addConnector through Jolokia if the activemq-http module is on the classpath. A malicious HTTP endpoint can return a VM transport through the HTTP URI which will bypass the validation added in CVE-2026-34197. The attacker can then use the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ All: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5. Users are recommended to upgrade to version 5.19.6 or 6.2.5, which fixes the issue.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
输入验证不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
Apache多款产品 输入验证错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Apache ActiveMQ等都是美国阿帕奇(Apache)基金会的产品。Apache ActiveMQ是一套开源的消息中间件,Apache ActiveMQ Broker是一个支持多协议的企业级消息代理中间件。Apache ActiveMQ All是一个包含消息代理及相关组件的完整消息中间件发行包。 Apache多款产品存在输入验证错误漏洞,该漏洞源于输入验证不当和代码注入,可能导致经过身份验证的攻击者绕过CVE-2026-34197的修复,通过Jolokia添加连接器,利用HTTP Discover
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Apache Software Foundation | Apache ActiveMQ Broker | 0 ~ 5.19.6 | - | |
| Apache Software Foundation | Apache ActiveMQ All | 0 ~ 5.19.6 | - | |
| Apache Software Foundation | Apache ActiveMQ | 0 ~ 5.19.6 | - |
II. Public POCs for CVE-2026-40466
| # | POC Description | Source Link | Shenlong Link |
|---|---|---|---|
| 1 | Apache ActiveMQ before 5.19.6 and 6.0.0 through 6.2.4 is vulnerable to remote code execution via a bypass of the CVE-2026-34197 security fix. The original fix blocked the "vm://" transport scheme in BrokerView.addNetworkConnector() and BrokerView.addConnector() to prevent authenticated attackers from loading malicious Spring XML configurations via the Jolokia API. However, the fix only denied the "vm" scheme. An attacker can bypass this restriction by using the HTTP Discovery transport(http://attacker/discovery), which is not in the denied scheme list. The attacker-controlled HTTP endpoint returns a vm:// transport URI as a second-stage response, which then loads a remote Spring XML application context, leading to arbitrary code execution on the broker JVM. The activemq-http module must be on the classpath (present by default in the "all" distribution), and authenticated access to the Jolokia API (/api/jolokia/) is required. | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2026/CVE-2026-40466.yaml | POC Details |
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-40466
请登录查看更多情报信息。
Same Patch Batch · Apache Software Foundation · 2026-04-24 · 7 CVEs total
| CVE-2026-41043 | Apache ActiveMQ, Apache ActiveMQ Web: ActiveMQ Web Console - XSS vulnerability when brows | |
| CVE-2026-41044 | Apache ActiveMQ, Apache ActiveMQ Broker, Apache ActiveMQ All: Authenticated user can perfo | |
| CVE-2025-62233 | Apache DolphinScheduler: Deserialization of untrusted data in RPC | |
| CVE-2026-23902 | Apache DolphinScheduler: Users are able to use tenants that are not defined on the platfor | |
| CVE-2026-40690 | Apache Airflow: Assets graph view bypasses DAG level access control displaying unrelated t | |
| CVE-2026-38743 | Apache Airflow: Dags endpoint might provide access to otherwise inaccessible entities |
IV. Related Vulnerabilities
Same vendor: Apache Software Foundation
- CVE-2026-39816
Apache NiFi: Missing Execute Code Required Permission on Tin - CVE-2026-25199
Apache CloudStack: Proxmox Extension Allows Unauthorized Cro - CVE-2026-25077
Apache CloudStack: Unauthenticated Command Injection in Dire - CVE-2025-69233
Apache CloudStack: Domain/account resources limits not honor - CVE-2025-66467
Apache CloudStack: MinIO policy remains intact on bucket del
Same weakness: CWE-20
V. Comments for CVE-2026-40466
No comments yet