Apache ActiveMQ chained RCE, XSS

Apache ActiveMQ just disclosed three new security flaws, including two paths to remote code execution and one web-console cross-site scripting bug. (activemq.apache.org 1) (activemq.apache.org 2) (nvd.nist.gov) ActiveMQ is a message broker, software that sits between applications and moves data from one system to another. Its web console exposes Jolokia, a bridge that turns Java management functions into HTTP requests an administrator can click or call. (activemq.apache.org) (nvd.nist.gov) The first of the newly disclosed bugs, CVE-2026-41044, lets an authenticated attacker use the admin console to create a malicious broker name, then trigger a VM transport that loads a remote Spring XML application context. Apache said that can end in arbitrary code execution through bean factory methods such as `Runtime.exec`. (activemq.apache.org) (openwall.com) The second code-execution bug, CVE-2026-40466, is a bypass for the earlier CVE-2026-34197 fix. NIST said an authenticated attacker can add a connector through Jolokia using HTTP discovery, get back a VM transport, and again reach remote Spring XML loading on the broker’s Java virtual machine. (nvd.nist.gov 1) (nvd.nist.gov 2) The third flaw, CVE-2026-41043, is a cross-site scripting issue in the web console. Apache said an authenticated attacker can override the content type to HTML and inject HTML into a Java Message Service selector field so malicious content appears while queues are being browsed. (activemq.apache.org) All three disclosures affect Apache ActiveMQ releases before 5.19.6 and 6.0.0 through 6.2.4, with fixes in 5.19.6 and 6.2.5. That is newer than Apache’s earlier guidance for CVE-2026-34197 alone, which pointed users to 5.19.4 or 6.2.3. (activemq.apache.org 1) (activemq.apache.org 2) (nvd.nist.gov) (nvd.nist.gov) The common thread is Spring XML loading before configuration validation finishes. Both code-execution advisories say `ResourceXmlApplicationContext` instantiates singleton beans before `BrokerService` completes validation, which is why crafted inputs can reach code execution. (activemq.apache.org) (nvd.nist.gov) NIST’s record for CVE-2026-40466 shows a CISA Added Data Providers score of 8.8, marked high, with low attack complexity and no user interaction. Apache labeled CVE-2026-41043 and CVE-2026-41044 as “important” in its advisories. (nvd.nist.gov) (activemq.apache.org) (activemq.apache.org) Apache credited Khaled Alshammri with finding CVE-2026-41043 and jsjcw with finding CVE-2026-41044. The practical takeaway from Apache’s own advisories is simple: if you run ActiveMQ Classic, the safe target is now 5.19.6 or 6.2.5, not the earlier April fixes alone. (activemq.apache.org) (activemq.apache.org)