An update for activemq is now available for openEuler-24.03-LTS-SP3 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2026-2127 Final 1.0 1.0 2026-05-03 Initial 2026-05-03 2026-05-03 openEuler SA Tool V1.0 2026-05-03 activemq security update An update for activemq is now available for openEuler-24.03-LTS-SP3 The most popular and powerful open source messaging and Integration Patterns server. Security Fix(es): ['Severity: low \n\nAffected versions:\n\n- Apache ActiveMQ Client (org.apache.activemq:activemq-client) before 5.19.3\n- Apache ActiveMQ Client (org.apache.activemq:activemq-client) 6.0.0 before 6.2.2\n- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) before 5.19.3\n- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 6.0.0 before 6.2.2\n- Apache ActiveMQ (org.apache.activemq:activemq-all) before 5.19.3\n- Apache ActiveMQ (org.apache.activemq:activemq-all) 6.0.0 before 6.2.2\n- Apache ActiveMQ Web (org.apache.activemq:activemq-web) before 5.19.3\n- Apache ActiveMQ Web (org.apache.activemq:activemq-web) 6.0.0 before 6.2.2\n\nDescription:\n\nImproper validation and restriction of a classpath path name vulnerability in Apache ActiveMQ Client, Apache ActiveMQ \nBroker, Apache ActiveMQ All.\n\nIn two instances (when creating a Stomp consumer and also browsing messages in the Web console) an authenticated user \nprovided "key" value could be constructed to traverse the classpath due to path concatenation. As a result, the \napplication is exposed to a classpath path resource loading vulnerability that could potentially be chained together \nwith another attack to lead to exploit.This issue affects Apache ActiveMQ Client: before 5.19.3, from 6.0.0 before \n6.2.2; Apache ActiveMQ Broker: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ All: before 5.19.3, from 6.0.0 \nbefore 6.2.2.\n\nUsers are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue. Note: 5.19.3 and 6.2.2 also fix \nthis issue, but that is limited to non-Windows environments due to a path separator resolution bug fixed in 5.19.4 and \n6.2.3.\n\nCredit:\n\nDawei Wang (finder)\n\nReferences:'](CVE-2026-33227) ["Severity: important \n\nAffected versions:\n\n- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) before 5.19.4\n- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 6.0.0 before 6.2.3\n- Apache ActiveMQ (org.apache.activemq:activemq-all) before 5.19.4\n- Apache ActiveMQ (org.apache.activemq:activemq-all) 6.0.0 before 6.2.3\n\nDescription:\n\nImproper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ \nBroker, Apache ActiveMQ.\n\nApache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at\xa0/api/jolokia/ on the web console. The default Jolokia \naccess policy permits\xa0exec operations on all ActiveMQ\xa0MBeans (org.apache.activemq:*), including\nBrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). \n\nAn authenticated attacker can\xa0invoke these operations with a crafted discovery URI that triggers the VM\xa0transport's \nbrokerConfig parameter to load a remote Spring XML application\xa0context using ResourceXmlApplicationContext. \nBecause Spring's\xa0ResourceXmlApplicationContext instantiates all singleton beans before the\xa0BrokerService validates the \nconfiguration, arbitrary code execution occurs\xa0on the broker's JVM through bean factory methods such as Runtime.exec().\nThis issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: .\n\nUsers are recommended to upgrade to version 5.19.5 or 6.2.3, which fixes the issue.\n\nCredit:\n\nNaveen Sunkavally (Horizon3.ai) (finder)\n\nReferences:"](CVE-2026-34197) Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ. ActiveMQ NIO SSL transports do not correctly handle TLSv1.3 handshake KeyUpdates triggered by clients. This makes it possible for a client to rapidly trigger updates which causes the broker to exhaust all its memory in the SSL engine leading to DoS. Note: TLS versions before TLSv1.3 (such as TLSv1.2) are broken but are not vulnerable to OOM. Previous TLS versions require a full handshake renegotiation which causes a connection to hang but not OOM. This is fixed as well. This issue affects Apache ActiveMQ Client: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.4. Users are recommended to upgrade to version 6.2.4 or 5.19.5, which fixes the issue.(CVE-2026-39304) Integer Overflow or Wraparound vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ MQTT. The fix for "CVE-2025-66168: MQTT control packet remaining length field is not properly validated" was only applied to 5.19.2 (and future 5.19.x) releases but was missed for all 6.0.0+ versions. This issue affects Apache ActiveMQ: from 6.0.0 before 6.2.4; Apache ActiveMQ All: from 6.0.0 before 6.2.4; Apache ActiveMQ MQTT: from 6.0.0 before 6.2.4. Users are recommended to upgrade to version 6.2.4 or a 5.19.x version starting with 5.19.2 or later (currently latest is 5.19.5), which fixes the issue.(CVE-2026-40046) A vulnerability, which was classified as problematic, has been found in Apache ActiveMQ up to 5.19.5/6.2.4 (Application Server Software).Impacted is integrity.Upgrading to version 5.19.6 or 6.2.5 eliminates this vulnerability.(CVE-2026-40466) Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache ActiveMQ, Apache ActiveMQ Web. An authenticated attacker can show malicious content when browsing queues in the web console by overriding the content type to be HTML (instead of XML) and by injecting HTML into a JMS selector field. This issue affects Apache ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ Web: before 5.19.6, from 6.0.0 before 6.2.5. Users are recommended to upgrade to version 6.2.5 or 5.19.6, which fixes the issue.(CVE-2026-41043) A vulnerability has been found in Apache ActiveMQ up to 5.19.5/6.2.4 and classified as problematic. As an impact it is known to affect confidentiality, integrity, and availability. Upgrading to version 5.19.6 or 6.2.5 eliminates this vulnerability.(CVE-2026-41044) An update for activemq is now available for master/openEuler-20.03-LTS-SP4/openEuler-22.03-LTS-SP4/openEuler-24.03-LTS/openEuler-24.03-LTS-Next/openEuler-24.03-LTS-SP1/openEuler-24.03-LTS-SP2/openEuler-24.03-LTS-SP3/openEuler-24.03-LTS-SP4. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High activemq https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2127 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-33227 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-34197 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-39304 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-40046 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-40466 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-41043 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-41044 https://nvd.nist.gov/vuln/detail/CVE-2026-33227 https://nvd.nist.gov/vuln/detail/CVE-2026-34197 https://nvd.nist.gov/vuln/detail/CVE-2026-39304 https://nvd.nist.gov/vuln/detail/CVE-2026-40046 https://nvd.nist.gov/vuln/detail/CVE-2026-40466 https://nvd.nist.gov/vuln/detail/CVE-2026-41043 https://nvd.nist.gov/vuln/detail/CVE-2026-41044 openEuler-24.03-LTS-SP3 activemq-5.19.6-1.oe2403sp3.src.rpm activemq-5.19.6-1.oe2403sp3.noarch.rpm activemq-javadoc-5.19.6-1.oe2403sp3.noarch.rpm ['Severity: low \n\nAffected versions:\n\n- Apache ActiveMQ Client (org.apache.activemq:activemq-client) before 5.19.3\n- Apache ActiveMQ Client (org.apache.activemq:activemq-client) 6.0.0 before 6.2.2\n- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) before 5.19.3\n- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 6.0.0 before 6.2.2\n- Apache ActiveMQ (org.apache.activemq:activemq-all) before 5.19.3\n- Apache ActiveMQ (org.apache.activemq:activemq-all) 6.0.0 before 6.2.2\n- Apache ActiveMQ Web (org.apache.activemq:activemq-web) before 5.19.3\n- Apache ActiveMQ Web (org.apache.activemq:activemq-web) 6.0.0 before 6.2.2\n\nDescription:\n\nImproper validation and restriction of a classpath path name vulnerability in Apache ActiveMQ Client, Apache ActiveMQ \nBroker, Apache ActiveMQ All.\n\nIn two instances (when creating a Stomp consumer and also browsing messages in the Web console) an authenticated user \nprovided "key" value could be constructed to traverse the classpath due to path concatenation. As a result, the \napplication is exposed to a classpath path resource loading vulnerability that could potentially be chained together \nwith another attack to lead to exploit.This issue affects Apache ActiveMQ Client: before 5.19.3, from 6.0.0 before \n6.2.2; Apache ActiveMQ Broker: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ All: before 5.19.3, from 6.0.0 \nbefore 6.2.2.\n\nUsers are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue. Note: 5.19.3 and 6.2.2 also fix \nthis issue, but that is limited to non-Windows environments due to a path separator resolution bug fixed in 5.19.4 and \n6.2.3.\n\nCredit:\n\nDawei Wang (finder)\n\nReferences:'] 2026-05-03 CVE-2026-33227 openEuler-24.03-LTS-SP3 Medium 4.3 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N activemq security update 2026-05-03 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2127 ["Severity: important \n\nAffected versions:\n\n- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) before 5.19.4\n- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 6.0.0 before 6.2.3\n- Apache ActiveMQ (org.apache.activemq:activemq-all) before 5.19.4\n- Apache ActiveMQ (org.apache.activemq:activemq-all) 6.0.0 before 6.2.3\n\nDescription:\n\nImproper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ \nBroker, Apache ActiveMQ.\n\nApache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at\xa0/api/jolokia/ on the web console. The default Jolokia \naccess policy permits\xa0exec operations on all ActiveMQ\xa0MBeans (org.apache.activemq:*), including\nBrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). \n\nAn authenticated attacker can\xa0invoke these operations with a crafted discovery URI that triggers the VM\xa0transport's \nbrokerConfig parameter to load a remote Spring XML application\xa0context using ResourceXmlApplicationContext. \nBecause Spring's\xa0ResourceXmlApplicationContext instantiates all singleton beans before the\xa0BrokerService validates the \nconfiguration, arbitrary code execution occurs\xa0on the broker's JVM through bean factory methods such as Runtime.exec().\nThis issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: .\n\nUsers are recommended to upgrade to version 5.19.5 or 6.2.3, which fixes the issue.\n\nCredit:\n\nNaveen Sunkavally (Horizon3.ai) (finder)\n\nReferences:"] 2026-05-03 CVE-2026-34197 openEuler-24.03-LTS-SP3 High 8.8 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H activemq security update 2026-05-03 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2127 Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ. ActiveMQ NIO SSL transports do not correctly handle TLSv1.3 handshake KeyUpdates triggered by clients. This makes it possible for a client to rapidly trigger updates which causes the broker to exhaust all its memory in the SSL engine leading to DoS. Note: TLS versions before TLSv1.3 (such as TLSv1.2) are broken but are not vulnerable to OOM. Previous TLS versions require a full handshake renegotiation which causes a connection to hang but not OOM. This is fixed as well. This issue affects Apache ActiveMQ Client: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.4. Users are recommended to upgrade to version 6.2.4 or 5.19.5, which fixes the issue. 2026-05-03 CVE-2026-39304 openEuler-24.03-LTS-SP3 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H activemq security update 2026-05-03 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2127 Integer Overflow or Wraparound vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ MQTT. The fix for "CVE-2025-66168: MQTT control packet remaining length field is not properly validated" was only applied to 5.19.2 (and future 5.19.x) releases but was missed for all 6.0.0+ versions. This issue affects Apache ActiveMQ: from 6.0.0 before 6.2.4; Apache ActiveMQ All: from 6.0.0 before 6.2.4; Apache ActiveMQ MQTT: from 6.0.0 before 6.2.4. Users are recommended to upgrade to version 6.2.4 or a 5.19.x version starting with 5.19.2 or later (currently latest is 5.19.5), which fixes the issue. 2026-05-03 CVE-2026-40046 openEuler-24.03-LTS-SP3 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H activemq security update 2026-05-03 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2127 A vulnerability, which was classified as problematic, has been found in Apache ActiveMQ up to 5.19.5/6.2.4 (Application Server Software).Impacted is integrity.Upgrading to version 5.19.6 or 6.2.5 eliminates this vulnerability. 2026-05-03 CVE-2026-40466 openEuler-24.03-LTS-SP3 High 8.8 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H activemq security update 2026-05-03 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2127 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache ActiveMQ, Apache ActiveMQ Web. An authenticated attacker can show malicious content when browsing queues in the web console by overriding the content type to be HTML (instead of XML) and by injecting HTML into a JMS selector field. This issue affects Apache ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ Web: before 5.19.6, from 6.0.0 before 6.2.5. Users are recommended to upgrade to version 6.2.5 or 5.19.6, which fixes the issue. 2026-05-03 CVE-2026-41043 openEuler-24.03-LTS-SP3 Medium 6.5 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N activemq security update 2026-05-03 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2127 A vulnerability has been found in Apache ActiveMQ up to 5.19.5/6.2.4 and classified as problematic. As an impact it is known to affect confidentiality, integrity, and availability. Upgrading to version 5.19.6 or 6.2.5 eliminates this vulnerability. 2026-05-03 CVE-2026-41044 openEuler-24.03-LTS-SP3 High 8.8 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H activemq security update 2026-05-03 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2127