Platform
java
Component
org.apache.activemq:activemq-client
Fixed in
5.19.4
6.2.4
5.19.4
6.2.4
5.19.4
6.2.4
5.19.4
6.2.4
5.19.4
CVE-2026-39304 describes a Denial of Service (DoS) vulnerability within Apache ActiveMQ Client, ActiveMQ Broker, and ActiveMQ. This vulnerability arises from improper handling of TLSv1.3 handshake KeyUpdates, allowing a client to exhaust the broker's memory resources. Versions affected are those prior to 5.9.1, and a fix is available in version 5.19.4.
An attacker can exploit this vulnerability by sending a series of rapid TLSv1.3 KeyUpdates to the ActiveMQ broker. The broker's SSL engine, lacking proper handling of these updates, will attempt to process them, leading to excessive memory allocation. This ultimately results in the broker exhausting its available memory, causing it to become unresponsive and unavailable – a denial of service. The impact extends beyond the client initiating the attack; the entire ActiveMQ infrastructure becomes unavailable, potentially disrupting dependent applications and services. This vulnerability is particularly concerning as ActiveMQ is frequently used in enterprise messaging systems, making it a critical component for many organizations.
CVE-2026-39304 was publicly disclosed on 2026-04-10. The vulnerability's impact is relatively straightforward to understand and exploit, potentially increasing the risk of opportunistic attacks. No known public exploits or active campaigns have been reported at the time of writing, but the ease of exploitation warrants careful attention. It is not currently listed on the CISA KEV catalog. The vulnerability's reliance on TLSv1.3 makes it specific to newer ActiveMQ deployments.
Exploit Status
EPSS
0.05% (16% percentile)
CVSS Vector
The primary mitigation for CVE-2026-39304 is to upgrade to ActiveMQ version 5.19.4 or later. If immediate upgrading is not feasible, consider implementing temporary workarounds. Disabling TLSv1.3 on the broker can prevent the vulnerability from being triggered, although this will impact clients requiring that protocol. Network firewalls or proxy servers can be configured to rate-limit TLSv1.3 KeyUpdate requests to the ActiveMQ broker, reducing the potential for memory exhaustion. Monitor ActiveMQ broker memory usage closely for unusual spikes, which could indicate an ongoing attack. After upgrading, confirm the fix by attempting to trigger a TLSv1.3 KeyUpdate from a client and verifying that the broker does not experience memory exhaustion.
Upgrade to version 6.2.4 or 5.19.5 to mitigate the vulnerability. This update corrects the improper handling of TLSv1.3 key updates, preventing memory exhaustion and the potential denial of service attack.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-39304 is a denial-of-service vulnerability in Apache ActiveMQ Client versions up to 5.9.1. A malicious client can trigger excessive memory usage by sending rapid TLSv1.3 KeyUpdates, leading to broker unavailability.
You are affected if you are using Apache ActiveMQ Client, Broker, or ActiveMQ versions 5.9.1 or earlier. Upgrade to 5.19.4 or later to mitigate the risk.
The recommended fix is to upgrade to Apache ActiveMQ version 5.19.4 or later. As a temporary workaround, consider disabling TLSv1.3 or rate-limiting KeyUpdate requests.
No active exploitation has been confirmed at this time, but the vulnerability's ease of exploitation warrants vigilance and prompt patching.
Refer to the Apache ActiveMQ security page for the official advisory and further details: [https://activemq.apache.org/security/](https://activemq.apache.org/security/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.