Bug 2494843 (CVE-2026-49434)

Summary: CVE-2026-49434 org.apache.activemq/activemq-broker: org.apache.activemq/activemq-core: org.apache.activemq/activemq-all: Apache ActiveMQ: Unauthorized broker instantiation via improper input validation in LDAP entries
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: anthomas, anujha, aschwart, asoldano, aszczucz, ataylor, bbaranow, bmaxwell, boliveir, bstansbe, dbruscin, dlofthou, drichtar, ehelms, ehugonne, fmariani, ggainey, gmalinko, gtanzill, istudens, ivassile, iweiss, janstey, jbuscemi, jpasqual, juwatts, jwon, kvanderr, mcarlett, mhulan, mosmerov, mposolda, msvehla, nmoumoul, nwallace, osousa, pcreech, pdelbell, pesilva, pjindal, pmackay, rchan, rhel-process-autobot, rmartinc, rstancel, rstepani, smallamp, ssilvert, sthorger, tcunning, thjenkin, tmalecek, vdosoudi, vmuzikar, watson-tool-maintainers, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Apache ActiveMQ. An attacker with privileges to publish or modify entries in Lightweight Directory Access Protocol (LDAP) can exploit an improper input validation vulnerability. This allows the attacker to instantiate denied transports within the broker's Java Virtual Machine (JVM). Consequently, this can be used to fetch an attacker-controlled URL and launch an additional BrokerService within the same JVM, potentially leading to a denial of service or further system compromise.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2495064, 2495066, 2495068    
Bug Blocks:    

Description OSIDB Bzimport 2026-06-30 11:02:20 UTC
Improper Input Validation vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All.

An attacker that has access to publish or modify entries in LDAP that match the configured searchBase and searchFilter can instantiate denied transports inside the broker JVM. This can be used to fetch an attacker URL and spawn a second BrokerService inside the same JVM.
This issue affects Apache ActiveMQ Broker: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7.


Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.