{ "threat_severity" : "Moderate", "public_date" : "2026-04-07T07:50:58Z", "bugzilla" : { "description" : "org.apache.activemq/activemq-client: org.apache.activemq/activemq-broker: org.apache.activemq/activemq-all: org.apache.activemq/activemq-web: improper limitation of a pathname to a restricted classpath directory", "id" : "2455867", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2455867" }, "cvss3" : { "cvss3_base_score" : "4.3", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "status" : "draft" }, "cwe" : "CWE-22", "details" : [ "Improper validation and restriction of a classpath path name vulnerability in \nApache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ Web, Apache ActiveMQ.\nIn two instances (when creating a Stomp consumer and also browsing messages in the Web console) an authenticated user provided \"key\" value could be constructed to traverse the classpath due to path concatenation. As a result, the application is exposed to a classpath path resource loading vulnerability that could potentially be chained together with another attack to lead to exploit.\nThis issue affects Apache ActiveMQ Client: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ Broker: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ All: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ Web: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ: before 5.19.3, from 6.0.0 before 6.2.2.\nUsers are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue. Note: 5.19.3 and 6.2.2 also fix this issue, but that is limited to non-Windows environments due to a path separator resolution bug fixed in 5.19.4 and 6.2.3.", "A flaw was found in Apache ActiveMQ Client, Apache ActiveMQ Broker and Apache ActiveMQ All. A path traversal vulnerability, specifically an improper limitation of a pathname to a restricted directory, allows an authenticated user to manipulate input to traverse the classpath of the application, leading to an unauthorized classpath resource loading issue." ], "statement" : "To exploit this issue, an attacker must have valid credentials to create a Stomp consumer or log into the Web console. Additionally, this flaw only allows an authenticated user to read files from the classpath of the application, there is no impact to the availability or the integrity of the application. Due to these reasons, this vulnerability has been rated with a moderate severity.", "package_state" : [ { "product_name" : "Red Hat AMQ Broker 7", "fix_state" : "Fix deferred", "package_name" : "activemq-broker", "cpe" : "cpe:/a:redhat:amq_broker:7" }, { "product_name" : "Red Hat AMQ Broker 7", "fix_state" : "Fix deferred", "package_name" : "activemq-client", "cpe" : "cpe:/a:redhat:amq_broker:7" }, { "product_name" : "Red Hat build of Apache Camel for Spring Boot 4", "fix_state" : "Fix deferred", "package_name" : "activemq-client", "cpe" : "cpe:/a:redhat:camel_spring_boot:4" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Fix deferred", "package_name" : "activemq-broker", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Fix deferred", "package_name" : "activemq-client", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "log4j:2/log4j", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "log4j", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Fix deferred", "package_name" : "activemq-all", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Fix deferred", "package_name" : "activemq-broker", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Fix deferred", "package_name" : "activemq-client", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Fix deferred", "package_name" : "activemq-web", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Fix deferred", "package_name" : "activemq-broker", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Fix deferred", "package_name" : "activemq-client", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Fix deferred", "package_name" : "activemq-broker", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Fix deferred", "package_name" : "activemq-client", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Fix deferred", "package_name" : "activemq-broker", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Fix deferred", "package_name" : "activemq-client", "cpe" : "cpe:/a:redhat:jbosseapxp" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-33227\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33227\nhttp://www.openwall.com/lists/oss-security/2026/04/06/4\nhttps://activemq.apache.org/security-advisories.data/CVE-2026-33227-announcement.txt" ], "name" : "CVE-2026-33227", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }