Two critical security vulnerabilities have been disclosed in Apache ActiveMQ: CVE-2026-42253 (HTTP Response Header Injection) and CVE-2026-49157 (Incorrect Default Permissions), both patched in versions 5.19.7 and 6.2.6, released May 31, 2026.
Organizations relying on ActiveMQ for enterprise messaging and microservices must upgrade immediately to prevent cross-site scripting, session hijacking, and unauthorized broker manipulation.
CVE-2026-42253 is an HTTP Response Header Injection vulnerability tracked under the CWE-79 (Improper Neutralization of Input During Web Page Generation) classification.
The flaw exists within the MessageServlet component of the Apache ActiveMQ web console API, which blindly copies all Java Message Service (JMS) message properties into HTTP response headers without applying any input validation or sanitization.
Because HTTP response headers govern critical browser-side security mechanisms including Content Security Policy (CSP), X-Frame-Options, and HTTP Strict Transport Security (HSTS) an attacker who can send crafted JMS messages to the broker can overwrite or inject arbitrary header values into responses returned to end users.
The practical impact is severe: attackers can bypass existing CSP policies, enable reflected cross-site scripting (XSS), perform session hijacking, or execute clickjacking attacks against users accessing the ActiveMQ web console.
This vulnerability is particularly dangerous in enterprise deployments where the ActiveMQ web console is integrated into internal tooling, monitoring dashboards, or exposed to authenticated but untrusted users.
Unlike traditional XSS flaws that target application-layer HTML, this attack operates at the HTTP transport layer, making it harder to detect with standard application security scanners.
Security researchers Vishal Shukla, pyn3rd, uname, and 4ra1n were credited with discovering and responsibly disclosing the header injection vulnerability.
Affected Versions
The vulnerability affects the following product versions:
- Apache ActiveMQ: All versions before 5.19.7; versions 6.0.0 up to but not including 6.2.6
- Apache ActiveMQ Web: All versions before 5.19.7; versions 6.0.0 up to but not including 6.2.6
The Apache Software Foundation addressed CVE-2026-42253 by deprecating and disabling the MessageServlet by default in the patched releases, directly eliminating the attack vector rather than attempting to sanitize the vulnerable code path. Versions 5.19.7 and 6.2.6 were released on May 31, 2026 and contain the complete remediation.
Disclosed simultaneously, CVE-2026-49157 is an Incorrect Default Permissions vulnerability in Apache ActiveMQ that exposes the Jolokia broker management API to low-privilege authenticated users.
The default Jolokia authorization settings granted non-admin web-login accounts access to sensitive exec operations on ActiveMQ MBeans, including the ability to create or delete queues, start or stop connectors, and interact with broker management functions typically reserved for administrative roles.
This flaw was reported by security researcher Leon Johnson. In multi-tenant or enterprise broker deployments, a malicious authenticated user exploiting CVE-2026-49157 could perform unauthorized broker manipulation silently disrupting message flows, injecting rogue connectors, or staging conditions for further lateral movement within internal infrastructure.
The Jolokia API has historically been a high-value target in Apache ActiveMQ environments. Earlier this year, CVE-2026-34197 a critical RCE vulnerability (CVSS 8.8) demonstrated.
How attackers could chain Jolokia MBean execution with Spring XML remote loading to achieve arbitrary OS command execution on the broker JVM. CVE-2026-49157 compounds this risk by widening the pool of users who can access those same execution pathways.
Both flaws target management interfaces exposed through the ActiveMQ web console and its underlying APIs. In practice, an attacker with low-privilege access could:
- Exploit CVE-2026-49157 to access Jolokia endpoints and manipulate broker operations without admin credentials
- Use elevated broker control to inject crafted JMS messages with malicious header payloads
- Leverage CVE-2026-42253 to inject headers overwriting CSP and security policies for users accessing the web console
- Execute downstream XSS or session hijacking attacks against administrators reviewing broker status
This chain is especially dangerous in environments still running default credentials (admin:admin), which remain common in enterprise deployments according to Horizon3.ai research.
On ActiveMQ versions 6.0.0–6.1.1, the related CVE-2024-32114 also removed authentication requirements from the /api/* path making Jolokia endpoints entirely unauthenticated and rendering both CVEs exploitable without any credentials.
Mitigations
Organizations should take the following actions immediately:
- Upgrade to Apache ActiveMQ 5.19.7 or 6.2.6 — both CVEs are fully patched in these releases
- Restrict web console access to trusted internal networks or VPN-only segments; never expose the console to the public internet
- Audit Jolokia endpoint permissions and apply the principle of least privilege; non-admin users should not retain exec-level MBean access
- Replace default credentials (
admin:admin) — they remain the primary initial access vector in ActiveMQ attacks - Monitor for anomalous JMS message properties containing HTTP header keywords such as
Content-Security-Policy,X-Frame-Options, orSet-Cookie - Review network segmentation around ActiveMQ brokers used in microservices architectures, where lateral movement risk is highest
Apache ActiveMQ has been under sustained scrutiny from threat researchers throughout 2025–2026. CVE-2026-40466 (patched in 5.19.6/6.2.5) and CVE-2026-42588 (patched in 5.19.7/6.2.6) represent additional code injection vulnerabilities in the Jolokia pathway disclosed within the same quarter.
The pattern reflects a systemic design risk: management interfaces with broad default permissions and insufficient input validation, compounded by slow patching cadences in large enterprise deployments.
With ActiveMQ embedded across financial, healthcare, and telecommunications messaging infrastructure globally, each unpatched instance represents a significant breach vector.
FAQ
Q1. What is CVE-2026-42253 in Apache ActiveMQ?
It is an HTTP Response Header Injection flaw in the MessageServlet that allows attackers to inject malicious headers via unsanitized JMS message properties, enabling XSS and session hijacking.
Q2. Which Apache ActiveMQ versions are vulnerable to CVE-2026-42253 and CVE-2026-49157?
All Apache ActiveMQ and ActiveMQ Web versions before 5.19.7, and versions 6.0.0 through 6.2.5, are vulnerable to both CVEs.
Q3. How did Apache fix CVE-2026-42253?
The Apache Software Foundation deprecated and disabled the vulnerable MessageServlet component by default in ActiveMQ 5.19.7 and 6.2.6, removing the attack surface entirely.
Q4. Can CVE-2026-42253 and CVE-2026-49157 be chained together?
Yes, CVE-2026-49157 gives low-privilege users Jolokia access to inject crafted JMS messages, which CVE-2026-42253 then propagates as malicious HTTP headers, enabling a multi-stage attack on the broker and its web console users.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
