CVE-2026-41044— Apache ActiveMQ, Apache ActiveMQ Broker, Apache ActiveMQ All: Authenticated user can perform RCE via DestinationView MBean exposed by Jolokia

Apache ActiveMQ, Apache ActiveMQ Broker, Apache ActiveMQ All: Authenticated user can perform RCE via DestinationView MBean exposed by Jolokia

Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ, Apache ActiveMQ Broker, Apache ActiveMQ All. An authenticated attacker can use the admin web console page to construct a malicious broker name that bypasses name validation to include an xbean binding that can be later used by a VM transport to load a remote Spring XML application. The attacker can then use the DestinationView mbean to send a message to trigger a VM transport creation that will reference this malicious broker name which can lead to loading the malicious Spring XML context file. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ Broker: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ All: before 5.19.6, from 6.0.0 before 6.2.5. Users are recommended to upgrade to version 6.2.5 or 5.19.6, which fixes the issue.

N/A

输入验证不恰当

Apache多款产品 输入验证错误漏洞

Apache ActiveMQ等都是美国阿帕奇（Apache）基金会的产品。Apache ActiveMQ是一套开源的消息中间件，Apache ActiveMQ Broker是一个支持多协议的企业级消息代理中间件。Apache ActiveMQ All是一个包含消息代理及相关组件的完整消息中间件发行包。 Apache多款产品存在输入验证错误漏洞，该漏洞源于输入验证不当和代码注入，可能导致经过身份验证的攻击者使用管理Web控制台页面构造恶意代理名称，绕过名称验证以包含xbean绑定，随后通过VM传输加载远程

N/A

N/A