This is an automated email from the ASF dual-hosted git repository.
cshannon pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/activemq-website.git
The following commit(s) were added to refs/heads/main by this push:
new 3e658bdab Add new 2026 CVE announcements
3e658bdab is described below
commit 3e658bdabab4fdeed525f81e0a6ee06c7a9c7b11
Author: Christopher L. Shannon <[email protected]>
AuthorDate: Mon Apr 6 09:22:32 2026 -0400
Add new 2026 CVE announcements
---
src/components/classic/security.md | 2 ++
.../CVE-2026-33227-announcement.txt | 29 +++++++++++++++++++++
.../CVE-2026-34197-announcement.txt | 30 ++++++++++++++++++++++
3 files changed, 61 insertions(+)
diff --git a/src/components/classic/security.md
b/src/components/classic/security.md
index f8036a72c..a5ee6824f 100644
--- a/src/components/classic/security.md
+++ b/src/components/classic/security.md
@@ -9,6 +9,8 @@ Details of security problems fixed in released versions of
Apache ActiveMQ Class
See the main [Security Advisories](../../security-advisories) page for details
for other components and general information such as reporting new security
issues.
+*
[CVE-2026-34197](../../security-advisories.data/CVE-2026-34197-announcement.txt)
- Authenticated users could perform RCE via Jolokia MBeans
+*
[CVE-2026-33227](../../security-advisories.data/CVE-2026-33227-announcement.txt)
- Improper Limitation of a Pathname to a Restricted Classpath Directory
*
[CVE-2025-66168](../../security-advisories.data/CVE-2025-66168-announcement.txt)
- MQTT control packet remaining length field is not properly validated
*
[CVE-2025-54539](../../security-advisories.data/CVE-2025-54539-announcement.txt)
- Deserialization of Untrusted Data
*
[CVE-2025-29953](../../security-advisories.data/CVE-2025-29953-announcement.txt)
- Deserialization allowlist bypass
diff --git a/src/security-advisories.data/CVE-2026-33227-announcement.txt
b/src/security-advisories.data/CVE-2026-33227-announcement.txt
new file mode 100644
index 000000000..13ad83c54
--- /dev/null
+++ b/src/security-advisories.data/CVE-2026-33227-announcement.txt
@@ -0,0 +1,29 @@
+Severity: low
+
+Affected versions:
+
+- Apache ActiveMQ Client (org.apache.activemq:activemq-client) before 5.19.3
+- Apache ActiveMQ Client (org.apache.activemq:activemq-client) 6.0.0 before
6.2.2
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) before 5.19.3
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 6.0.0 before
6.2.2
+- Apache ActiveMQ (org.apache.activemq:activemq-all) before 5.19.3
+- Apache ActiveMQ (org.apache.activemq:activemq-all) 6.0.0 before 6.2.2
+- Apache ActiveMQ Web (org.apache.activemq:activemq-web) before 5.19.3
+- Apache ActiveMQ Web (org.apache.activemq:activemq-web) 6.0.0 before 6.2.2
+
+Description:
+
+Improper validation and restriction of a classpath path name vulnerability in
Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All.
+
+In two instances (when creating a Stomp consumer and also browsing messages in
the Web console) an authenticated user provided "key" value could be
constructed to traverse the classpath due to path concatenation. As a result,
the application is exposed to a classpath path resource loading vulnerability
that could potentially be chained together with another attack to lead to
exploit.This issue affects Apache ActiveMQ Client: before 5.19.3, from 6.0.0
before 6.2.2; Apache ActiveMQ Broker: [...]
+
+Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the
issue. Note: 5.19.3 and 6.2.2 also fix this issue, but that is limited to
non-Windows environments due to a path separator resolution bug fixed in 5.19.4
and 6.2.3.
+
+Credit:
+
+Dawei Wang (finder)
+
+References:
+
+https://activemq.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2026-33227
diff --git a/src/security-advisories.data/CVE-2026-34197-announcement.txt
b/src/security-advisories.data/CVE-2026-34197-announcement.txt
new file mode 100644
index 000000000..271e7494d
--- /dev/null
+++ b/src/security-advisories.data/CVE-2026-34197-announcement.txt
@@ -0,0 +1,30 @@
+Severity: important
+
+Affected versions:
+
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) before 5.19.4
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 6.0.0 before
6.2.3
+- Apache ActiveMQ (org.apache.activemq:activemq-all) before 5.19.4
+- Apache ActiveMQ (org.apache.activemq:activemq-all) 6.0.0 before 6.2.3
+
+Description:
+
+Improper Input Validation, Improper Control of Generation of Code ('Code
Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ.
+
+Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/
on the web console. The default Jolokia access policy permits exec operations
on all ActiveMQ MBeans (org.apache.activemq:*), including
+BrokerService.addNetworkConnector(String) and
BrokerService.addConnector(String).
+
+An authenticated attacker can invoke these operations with a crafted discovery
URI that triggers the VM transport's brokerConfig parameter to load a remote
Spring XML application context using ResourceXmlApplicationContext.
+Because Spring's ResourceXmlApplicationContext instantiates all singleton
beans before the BrokerService validates the configuration, arbitrary code
execution occurs on the broker's JVM through bean factory methods such as
Runtime.exec().
+This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before
6.2.3; Apache ActiveMQ: .
+
+Users are recommended to upgrade to version 5.19.5 or 6.2.3, which fixes the
issue.
+
+Credit:
+
+Naveen Sunkavally (Horizon3.ai) (finder)
+
+References:
+
+https://activemq.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2026-34197
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information, visit: https://activemq.apache.org/contact
