Copyright © 2012 Red Hat, Inc. All rights reserved. Important 2026-04-24T10:15:44 org.apache.activemq/activemq-all: org.apache.activemq/activemq-broker: Apache ActiveMQ: Arbitrary code execution via improper input validation in HTTP Discovery transport 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CWE-94

A flaw was found in Apache ActiveMQ. An authenticated attacker can bypass a previous security fix by adding a connector using an HTTP Discovery transport through Jolokia, if the activemq-http module is present. A malicious HTTP endpoint can return a virtual machine (VM) transport, which allows the attacker to load a remote Spring XML application context. This can lead to arbitrary code execution on the broker's Java Virtual Machine (JVM).

Red Hat AMQ Broker 7 Affected activemq-broker Red Hat Data Grid 8 Not affected activemq-broker Red Hat Enterprise Linux 8 Not affected log4j:2/log4j Red Hat Enterprise Linux 9 Not affected log4j Red Hat Fuse 7 Not affected activemq-all Red Hat Fuse 7 Not affected activemq-broker Red Hat JBoss Enterprise Application Platform 7 Will not fix activemq-broker Red Hat JBoss Enterprise Application Platform 8 Not affected activemq-broker Red Hat JBoss Enterprise Application Platform Expansion Pack Not affected activemq-broker https://www.cve.org/CVERecord?id=CVE-2026-40466 https://nvd.nist.gov/vuln/detail/CVE-2026-40466 https://activemq.apache.org/security-advisories.data/CVE-2026-34197-announcement.txt