Apache has urged ActiveMQ users to urgently update their deployments after three vulnerabilities were disclosed affecting both the 5.x and 6.x branches of the popular open-source messaging broker. Left unpatched, the issues can crash brokers, break isolation between client connections, and grant low-privilege users access to administrative functionality.
CVE-2026-53917: Unbounded Memory Allocation Leads to Broker Crashes
The first issue is a “Memory Allocation with Excessive Size Value” vulnerability affecting ActiveMQ, ActiveMQ All, ActiveMQ Client, and ActiveMQ Broker. The flaw sits in how OpenWire message property maps are unmarshalled: when an authenticated user sends a crafted OpenWire message declaring an oversized encoded map, the broker attempts to allocate memory for it without validating the size first.
Because there is no upper bound on this allocation, the broker can quickly exhaust available memory and crash, producing a denial-of-service condition for every application depending on that messaging infrastructure. Environments that expose OpenWire endpoints to less-trusted clients are especially at risk, since a single malicious or compromised client can reliably take the broker down.
CVE-2026-54475: Temporary Destination Isolation Can Be Bypassed
The second vulnerability is a “Missing Authorization” flaw in how ActiveMQ Classic handles temporary destinations. Temporary queues and topics are meant to be isolated to the connection that created them, so only that connection can consume its own messages. That isolation, however, was only enforced in client-side logic — the broker itself never fully verified ownership.
As a result, a different connection can consume messages from another connection’s temporary destination, breaking the expected isolation model. In multi-tenant or shared messaging environments, this can allow unintended cross-tenant data leakage between applications or customers that are supposed to be walled off from one another.
CVE-2026-49877: Web Console Privilege Escalation
The third issue is an “Improper Authorization” flaw in the ActiveMQ Web Console, caused by an insecure default Jetty configuration. Administrative paths under /admin/* were not properly restricted to admin-role accounts, meaning any authenticated, low-privilege Web Console user could reach administrative functionality by default — potentially changing broker settings or pivoting further into the management interface.
Affected Versions and Fix
- All three vulnerabilities affect ActiveMQ, ActiveMQ Broker, and ActiveMQ All before version 5.19.8, and from 6.0.0 before 6.2.7
- Apache recommends immediate upgrade to ActiveMQ 6.2.7 or 5.19.8
- The new releases add strict size validation for OpenWire property maps, enforce server-side ownership checks on temporary destinations, and correct the default Web Console authorization so
/admin/*paths require true administrative roles
Recommended Actions
- Upgrade all ActiveMQ brokers and clients to the patched versions as soon as possible
- Restrict network access to brokers and the Web Console to trusted networks only
- Audit existing user roles and permissions on the Web Console for unnecessary administrative access
- Monitor for abnormal memory usage, unexpected broker restarts, and unauthorized consumption of temporary destinations, which may indicate exploitation attempts
Messaging infrastructure like ActiveMQ often sits quietly at the center of critical application pipelines, making availability and isolation guarantees especially important. Organizations running affected versions should treat this patch cycle as high priority, particularly if brokers are reachable by third-party or lower-trust clients.