Platform
java
Component
org.apache.activemq:activemq-client
Fixed in
5.19.3
6.2.2
5.19.3
6.2.2
5.19.3
6.2.2
5.19.3
6.2.2
5.19.3
6.2.2
5.19.3
CVE-2026-33227 describes an improper validation and restriction of classpath path names vulnerability affecting Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ Web, and Apache ActiveMQ. This flaw allows an authenticated user to potentially load arbitrary resources by manipulating the "key" value during Stomp consumer creation or browsing messages in the Web console, leading to a classpath resource loading vulnerability. The vulnerability impacts versions up to 5.9.1, and a patch is available in version 5.19.3.
CVE-2026-33227 in Apache ActiveMQ affects several components (Client, Broker, All, Web) due to improper validation of the classpath path. An authenticated user can manipulate the 'key' value to concatenate paths, potentially accessing resources outside the expected class directory. This could allow an attacker to read sensitive files or execute malicious code if executable files are accessible within the classpath. The vulnerability's severity is rated as CVSS 4.3, indicating a moderate risk. Successful exploitation requires authentication, but the potential impact is significant, especially in environments where ActiveMQ is used to transmit sensitive information.
The vulnerability manifests in two scenarios: when creating a Stomp consumer and when browsing messages in the web console. In both cases, an attacker can inject special characters into the 'key' value to construct a malicious classpath path. Path concatenation allows the attacker to access arbitrary files on the file system, provided the ActiveMQ process has the necessary permissions. The complexity of exploitation is relatively low, as it only requires authentication and the ability to manipulate the 'key' value.
Exploit Status
EPSS
0.05% (15% percentile)
CVSS Vector
The recommended solution is to upgrade to version 5.19.3 or later of Apache ActiveMQ. This version corrects the vulnerability by implementing stricter classpath path validation. In the meantime, as a temporary measure, restrict access to the web console and limit the privileges of authenticated users. It's crucial to review the ActiveMQ configuration to ensure that non-standard classpath paths or configurations that could facilitate exploitation are not being used. Monitoring ActiveMQ logs for suspicious patterns can also help detect exploitation attempts.
Upgrade to version 5.19.4 or 6.2.3 of Apache ActiveMQ to mitigate the vulnerability. On Windows environments, ensure you upgrade to version 6.2.3 to correct a path separator resolution bug.
Vulnerability analysis and critical alerts directly to your inbox.
Versions prior to 5.19.3 of Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ Web, and Apache ActiveMQ are vulnerable.
It is recommended to update all ActiveMQ components to version 5.19.3 or later to ensure maximum security.
As a temporary measure, restrict access to the web console and limit the privileges of authenticated users. Review the ActiveMQ configuration and monitor the logs.
An attacker could access any file that the ActiveMQ process has access to, including configuration files, API keys, and other sensitive data.
Currently, there are no specific tools to detect the exploitation of this vulnerability. Monitoring ActiveMQ logs for suspicious patterns is the best option.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.