Copyright © 2012 Red Hat, Inc. All rights reserved. Important 2026-04-24T10:16:53 org.apache.activemq/activemq-broker: org.apache.activemq/activemq-all: Apache ActiveMQ: Arbitrary code execution via improper input validation in admin console 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CWE-94

A flaw was found in Apache ActiveMQ. An authenticated attacker can exploit an improper input validation vulnerability in the admin web console to craft a malicious broker name. This malicious name, containing an xbean binding, can be used by a virtual machine (VM) transport to load a remote Spring XML application. By triggering the VM transport creation, the attacker can execute arbitrary code on the broker's Java Virtual Machine (JVM).

This vulnerability is rated as important by Red Hat. Successful execution of this attack requires elevated privileges, as the attacker must have control over an authenticated user account with access to the admin web console. Red Hat AMQ Broker 7 Affected activemq-broker Red Hat Data Grid 8 Not affected activemq-broker Red Hat Enterprise Linux 8 Not affected log4j:2/log4j Red Hat Enterprise Linux 9 Not affected log4j Red Hat Fuse 7 Not affected activemq-all Red Hat Fuse 7 Not affected activemq-broker Red Hat JBoss Enterprise Application Platform 7 Will not fix activemq-broker Red Hat JBoss Enterprise Application Platform 8 Not affected activemq-broker Red Hat JBoss Enterprise Application Platform Expansion Pack Not affected activemq-broker https://www.cve.org/CVERecord?id=CVE-2026-41044 https://nvd.nist.gov/vuln/detail/CVE-2026-41044 http://www.openwall.com/lists/oss-security/2026/04/23/6 https://activemq.apache.org/security-advisories.data/CVE-2026-41044-announcement.txt