Apache ActiveMQ Authenticated RCE via Code Injection (CVE-2026-41844)

Vulnerability Overview Vulnerability Name: Improper Input Validation, Improper Control of Generation of Code ('Code Injection') Vulnerability Description: A vulnerability exists in Apache ActiveMQ, Apache ActiveMQ Broker, and Apache ActiveMQ All that allows an authenticated attacker to craft a malicious broker name via the admin web console page, bypassing name validation to include an xbean binding. The attacker can leverage the VM transport to load a remote Spring XML application and trigger creation of the VM transport by sending a message through the DestinationView xbean, thereby referencing the malicious broker name and causing a malicious Spring XML context file to be loaded. Since Spring’s instantiates all singleton beans before BrokerService validates the configuration, arbitrary code execution occurs on the broker’s JVM via bean factory methods such as . Impact Scope Affected Versions: - Apache ActiveMQ (org.apache.activemq:apache-activemq) versions prior to 5.19.6 - Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) versions prior to 5.19.6 - Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) versions from 6.0.0 up to but not including 6.2.5 - Apache ActiveMQ All (org.apache.activemq:activemq-all) versions prior to 5.19.6 - Apache ActiveMQ All (org.apache.activemq:activemq-all) versions from 6.0.0 up to but not including 6.2.5 Remediation Recommended Upgrade Version: 6.2.5 or 5.19.6, which have fixed this vulnerability. References Apache ActiveMQ Official Website CVE Record Contributors jsjcw (finder)

Goal Reached Thanks to every supporter — we hit 100%!

Apache ActiveMQ Authenticated RCE via Code Injection (CVE-2026-41844)