Apache ActiveMQ CVE-2026-40466 flagged

Apache ActiveMQ is message-broker software — the plumbing that lets applications pass jobs, events, and data around inside a company. When that plumbing breaks, the risk is ugly, because the broker often sits deep in trusted internal networks and talks to a lot of other systems. That is why CVE-2026-40466 matters. It is not a brand-new bug class. It is a bypass for an earlier ActiveMQ remote-code-execution fix, and Apache has now told users to move again to newer patched builds. ### What actually changed? Apache published CVE-2026-40466 as an “important” ActiveMQ Classic issue affecting versions before 5.19.6 and 6.0.0 through 6.2.4. The new advisory says the earlier fix for CVE-2026-34197 can be bypassed under specific conditions, so users who already patched to 5.19.4 or 6.2.3 may still be exposed if they stopped there. The new fixed versions are 5.19.6 and 6.2.5. (activemq.apache.org) ### What was the original bug? The April bug, CVE-2026-34197, lived in the Jolokia JMX-HTTP bridge exposed through the ActiveMQ web console. In plain English, an authenticated user could call management functions that add connectors, feed in a crafted discovery URI, and get the broker to load a remote Spring XML application context. That chain could end in arbitrary code execution inside the broker JVM. Apache fixed that in 5.19.4 and 6.2.3 — but turns out the validation was not complete. (activemq.apache.org) ### So how does the bypass work? The bypass uses HTTP Discovery as a second stage. Apache says an authenticated attacker can add a connector through Jolokia, point it at a malicious HTTP endpoint, and have that endpoint return a VM transport URI. That VM transport can still carry the dangerous `brokerConfig` parameter, which then loads remote Spring XML before broker validation finishes. Basically, the first patch blocked one path, but this route let the attacker sneak the dangerous payload in through another door. (activemq.apache.org) ### Why is Jolokia the recurring problem? Jolokia is useful because it exposes Java management operations over HTTP. But in ActiveMQ Classic, that also means broker-management methods become reachable through the web layer. If those methods can create connectors or load config from attacker-controlled locations, the management plane stops being “just admin” and starts being an execution surface. That is why several recent ActiveMQ advisories cluster around Jolokia and related MBeans. (activemq.apache.org) ### How severe is this one? CISA’s ADP score on NVD lists CVE-2026-40466 at 8.8, marked High, with network attack vector, low attack complexity, low privileges required, and no user interaction. The catch is the privileges piece — this is not an unauthenticated internet-wide worm bug by default. But if an attacker already has valid access to the console path, or stole credentials, the path to code execution is straightforward enough to be taken seriously. (activemq.apache.org) ### Why are defenders treating this as urgent? Because the earlier bug is already in CISA’s Known Exploited Vulnerabilities flow. CISA added CVE-2026-34197 to KEV on April 16, 2026, citing evidence of active exploitation. CVE-2026-40466 is a bypass for that exact issue, so even without a separate KEV entry yet, defenders will read it as a live follow-on patching problem rather than a theoretical lab finding. That is an inference — but a pretty grounded one. (nvd.nist.gov) ### What should ActiveMQ users do now? Upgrade to 5.19.6 or 6.2.5 if you run affected ActiveMQ Classic branches. Then check whether Jolokia is exposed, whether the `activemq-http` module is present, and whether any users have more broker-management access than they need. Also review for unexpected connectors, suspicious outbound HTTP from brokers, and any signs that remote Spring XML was loaded. The point is not just patching — it is verifying that nobody already walked through the old hole or the bypass. (cisa.gov) ### Bottom line? This is a fix-on-top-of-a-fix story. Those are the ones defenders hate most, because they create false confidence. If you run ActiveMQ Classic and thought April’s patch closed the book, it did not. The real safe versions are newer — and this one belongs near the top of the queue. (activemq.apache.org)