CVE-2026-33227 Overview
CVE-2026-33227 is a classpath path traversal vulnerability affecting multiple Apache ActiveMQ components. The vulnerability stems from improper validation and restriction of classpath path names, allowing authenticated attackers to traverse the classpath by constructing malicious "key" values. This path traversal issue manifests in two specific attack surfaces: when creating a Stomp consumer and when browsing messages through the Web console.
Critical Impact
Authenticated users can exploit path concatenation flaws to traverse the classpath, potentially enabling resource loading attacks that could be chained with other exploits for broader system compromise.
Affected Products
- Apache ActiveMQ Client: versions before 5.19.3, and versions 6.0.0 through 6.2.1
- Apache ActiveMQ Broker: versions before 5.19.3, and versions 6.0.0 through 6.2.1
- Apache ActiveMQ All: versions before 5.19.3, and versions 6.0.0 through 6.2.1
- Apache ActiveMQ Web: versions before 5.19.3, and versions 6.0.0 through 6.2.1
- Apache ActiveMQ: versions before 5.19.3, and versions 6.0.0 through 6.2.1
Discovery Timeline
- April 7, 2026 - CVE-2026-33227 published to NVD
- April 8, 2026 - Last updated in NVD database
Technical Details for CVE-2026-33227
Vulnerability Analysis
This vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as Path Traversal. The flaw exists in how Apache ActiveMQ handles user-provided "key" values in two distinct contexts within the application.
The first vulnerable path occurs during Stomp consumer creation, where an authenticated user can supply a crafted key value that exploits insufficient path validation. The second attack vector exists within the Web console's message browsing functionality, where similar path concatenation issues allow traversal beyond intended classpath boundaries.
What makes this vulnerability particularly concerning is its potential for exploit chaining. While the classpath resource loading vulnerability itself requires authentication, successful exploitation could serve as a stepping stone for more severe attacks when combined with other vulnerabilities in the target environment.
Root Cause
The root cause lies in insufficient validation of user-supplied input before concatenating it with classpath paths. The application fails to properly sanitize or restrict the "key" parameter values, allowing directory traversal sequences to escape the intended classpath context. Additionally, a path separator resolution bug in versions 5.19.3 and 6.2.2 means these fixes are incomplete on Windows environments, requiring users on that platform to upgrade to 5.19.4 or 6.2.3.
Attack Vector
The vulnerability is exploitable over the network by authenticated users. An attacker with valid credentials can craft malicious requests containing path traversal sequences in the key parameter when:
- Creating a Stomp consumer connection
- Browsing messages through the ActiveMQ Web console interface
The attacker constructs a "key" value with directory traversal characters (such as ../) that, when concatenated with the classpath base, resolves to resources outside the intended directory structure. This enables unauthorized access to classpath resources that should not be accessible, potentially exposing sensitive configuration files or enabling further exploitation.
Detection Methods for CVE-2026-33227
Indicators of Compromise
- Unusual Stomp consumer creation requests containing path traversal sequences (../, ..\\) in key parameters
- Web console message browsing requests with malformed or suspicious key values
- Unexpected classpath resource access patterns in application logs
- Authentication logs showing repeated attempts with various traversal patterns
Detection Strategies
- Monitor ActiveMQ application logs for path traversal patterns in request parameters
- Implement Web Application Firewall (WAF) rules to detect directory traversal attempts in Stomp and HTTP requests
- Review audit logs for unusual resource access patterns from authenticated users
- Deploy SentinelOne Singularity to detect exploitation attempts and anomalous application behavior
Monitoring Recommendations
- Enable detailed logging for Stomp consumer creation and Web console operations
- Configure alerting for requests containing path traversal sequences
- Monitor for chains of suspicious activity that could indicate multi-stage exploitation attempts
How to Mitigate CVE-2026-33227
Immediate Actions Required
- Upgrade Apache ActiveMQ to version 5.19.4 or 6.2.3 immediately
- If running on non-Windows environments, versions 5.19.3 and 6.2.2 also address this vulnerability
- Review authentication logs for signs of exploitation attempts
- Audit user access to identify any potentially compromised accounts
Patch Information
Apache has released fixed versions that address this vulnerability. Users should upgrade to version 5.19.4 or 6.2.3, which include complete fixes for all platforms including Windows. The earlier releases 5.19.3 and 6.2.2 contain partial fixes that work on non-Windows environments but do not resolve a path separator issue affecting Windows systems.
For detailed patch information, refer to the Apache ActiveMQ Security Advisory and the Openwall OSS Security Discussion.
Workarounds
- Restrict network access to ActiveMQ Stomp and Web console interfaces to trusted networks only
- Implement strict input validation at the network perimeter using WAF rules
- Disable the Web console if not required for operations
- Apply principle of least privilege to limit authenticated user capabilities
# Example: Restrict Web console access via firewall rules
# Block external access to ActiveMQ web console port
iptables -A INPUT -p tcp --dport 8161 -s ! 10.0.0.0/8 -j DROP
# Allow only trusted internal network to access Stomp port
iptables -A INPUT -p tcp --dport 61613 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 61613 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
