ActiveMQ RCE via Spring XML (CVE-2026-41044)

Vendor-confirmed - CVE-2026-41044 is a high-severity remote code execution in Apache ActiveMQ (pre-5.19.6 and pre-6.2.5) that lets an authenticated attacker achieve arbitrary code execution on the broker’s JVM by chaining input validation bypass with Spring XML deserialization. Patched versions are available; prioritize upgrading.

Overview

CVE-2026-41044 is an improper input validation and code injection vulnerability affecting Apache ActiveMQ, ActiveMQ Broker, and ActiveMQ All. An authenticated attacker with access to the admin web console can construct a malicious broker name that bypasses input validation. This payload includes an xbean binding that later becomes active when a VM transport is created.

The attack chain works as follows:

1. The attacker uses the admin console to set a specially crafted broker name containing Spring XML references.
2. The attacker then uses the DestinationView MBean to send a message that triggers the creation of a VM transport referencing the malicious broker name.
3. The VM transport loads a remote Spring XML application context via ResourceXmlApplicationContext. Because Spring instantiates all singleton beans before the configuration is validated, attacker-supplied bean factory methods (e.g., Runtime.exec()) execute arbitrary code on the broker’s JVM.

Impact

Successful exploitation grants an authenticated attacker remote code execution on the ActiveMQ broker’s Java Virtual Machine. This can lead to full compromise of the message broker, data exfiltration, lateral movement within the network, and use of the broker as a pivot point for further attacks.

The vulnerability is rated High severity with a CVSS score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The EPSS probability of exploitation in the next 30 days is very low at 0.1%, but the attack complexity is low and requires only low privileges.

Affected Versions

• Apache ActiveMQ: all versions before 5.19.6, and 6.0.0 through 6.2.4
• Apache ActiveMQ Broker: all versions before 5.19.6, and 6.0.0 through 6.2.4
• Apache ActiveMQ All: all versions before 5.19.6, and 6.0.0 through 6.2.4

Remediation

Users should upgrade to version 5.19.6 (Classic branch) or version 6.2.5 (Artemis branch) immediately. These versions include fixes to broker name validation and prevent loading of untrusted Spring XML contexts.

As an interim mitigation, restrict access to the admin web console to authorized administrators only. Disable the VM transport if it is not required for your deployment.

Security Insight

This vulnerability is particularly notable because it exploits a legitimate feature of ActiveMQ (xbean binding and Spring XML configuration) through a validation bypass that should have been caught in a security review. It mirrors the pattern seen in other middleware CVEs where authenticated access to administrative consoles becomes a vector for code execution when input sanitization fails to keep pace with feature complexity. Organizations running message brokers should enforce strict network segmentation and limit console access to the smallest possible set of trusted users.

Further Reading

• Apache ActiveMQ CVE-2026-34197 added to CISA KEV catalo
• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs