CVE-2026-49434 | Improper Input Validation vulnerability in Apache ActiveMQ B…

Description

Improper Input Validation vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All. An attacker that has access to publish or modify entries in LDAP that match the configured searchBase and searchFilter can instantiate denied transports inside the broker JVM. This can be used to fetch an attacker URL and spawn a second BrokerService inside the same JVM. This issue affects Apache ActiveMQ Broker: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7. Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.

Metadata

CVE ID: CVE-2026-49434
State: PUBLISHED
Assigner: apache
Reserved: 2026-05-29 20:48 UTC
Published: 2026-06-30 09:55 UTC
Last updated: 2026-06-30 11:06 UTC
Primary CWE: CWE-20
CWE-20 Improper Input Validation
Vendor / Product: Apache Software Foundation / Apache ActiveMQ Broker
Sources: cve.org · NVD

Severity & Metrics

No CVSS data available.

Affected products (3)

Vendor	Product	Platform	Versions
Apache Software Foundation	Apache ActiveMQ	—	0 < 5.19.8, 6.0.0 < 6.2.7
Apache Software Foundation	Apache ActiveMQ All	—	0 < 5.19.8, 6.0.0 < 6.2.7
Apache Software Foundation	Apache ActiveMQ Broker	—	0 < 5.19.8, 6.0.0 < 6.2.7

Weakness (CWE)

CWE	Source	Description
CWE-20	cna	CWE-20 Improper Input Validation

References (1)

https://lists.apache.org/thread/hcjh7kdk4l85tb9ksmvcnkhso1ngj50o