ActiveMQ code injection after auth bypass (CVE-2026-40466)

Vendor-confirmed - CVE-2026-40466 is a high code-injection vulnerability in Apache ActiveMQ Broker 5.19.5 and earlier, and 6.2.4 and earlier, that lets authenticated attackers bypass a previous patch (CVE-2026-34197) and execute arbitrary code on the broker JVM. Patched in versions 5.19.6 and 6.2.5 - update immediately.

Overview

CVE-2026-40466 is a code injection vulnerability resulting from improper input validation in Apache ActiveMQ’s HTTP Discovery transport handling. The flaw exists because a malicious HTTP endpoint can return a VM transport URI that bypasses the validation added in CVE-2026-34197. An attacker with low-level authentication can then use the VM transport’s brokerConfig parameter to load a remote Spring XML application context.

Because Spring’s ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, this loading triggers arbitrary code execution on the broker’s Java Virtual Machine through bean factory methods such as Runtime.exec().

The attack vector requires:

• Authenticated access to the broker via Jolokia
• The activemq-http module must be on the classpath
• Ability to call BrokerView.addNetworkConnector or BrokerView.addConnector

Impact

This vulnerability carries a CVSS 8.8 (HIGH) score. An authenticated attacker can achieve full remote code execution on the broker’s JVM, potentially leading to:

• Complete compromise of the message broker
• Lateral movement to connected systems
• Data exfiltration of messages and credentials
• Denial of service against messaging infrastructure

The EPSS probability of exploitation in the next 30 days is 0.1%, indicating this is not currently under active, widespread attack. However, the bypass of a previously patched CVE makes this an attractive target for motivated attackers.

Remediation

The vendor has released fixes in ActiveMQ Broker versions 5.19.6 and 6.2.5. Users on any affected version should upgrade immediately. No workarounds or mitigations are available - patching is required.

Note that this vulnerability bypasses the fix applied for CVE-2026-34197, which was added to CISA’s Known Exploited Vulnerabilities catalog. This emphasizes that partial fixes are insufficient for injection-type vulnerabilities in ActiveMQ’s connector handling.

Security Insight

CVE-2026-40466 demonstrates a recurring weakness in Apache ActiveMQ’s approach to input validation: the HTTP Discovery transport remains a persistent attack surface despite repeated CVE disclosures. The fact that an attacker can bypass a KEV-listed vulnerability’s fix by simply switching transport protocols suggests that the underlying architectural trust model - not just individual input checks - needs re-evaluation. Until ActiveMQ enforces strict URI whitelisting at the transport selection layer, similar bypass chains are likely to persist.

Further Reading

• Apache ActiveMQ CVE-2026-34197 added to CISA KEV catalo
• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs