CVE-2026-40466 Overview
CVE-2026-40466 is a critical Code Injection vulnerability affecting Apache ActiveMQ that enables authenticated attackers to achieve remote code execution on the broker's JVM. This vulnerability represents a bypass of a previous security fix (CVE-2026-34197) and exploits the HTTP Discovery transport mechanism in conjunction with malicious Spring XML application context loading.
The vulnerability allows an authenticated attacker to add a connector using an HTTP Discovery transport via BrokerView.addNetworkConnector or BrokerView.addConnector through Jolokia when the activemq-http module is present on the classpath. A malicious HTTP endpoint can return a VM transport through the HTTP URI, bypassing validation controls, and subsequently load a remote Spring XML application context using ResourceXmlApplicationContext to execute arbitrary code.
Critical Impact
Authenticated attackers can achieve arbitrary code execution on the Apache ActiveMQ broker's JVM through bean factory methods such as Runtime.exec(), potentially compromising the entire message broker infrastructure.
Affected Products
- Apache ActiveMQ: versions before 5.19.6, and versions 6.0.0 through 6.2.4
- Apache ActiveMQ Broker: versions before 5.19.6, and versions 6.0.0 through 6.2.4
- Apache ActiveMQ All: versions before 5.19.6, and versions 6.0.0 through 6.2.4
Discovery Timeline
- April 24, 2026 - CVE-2026-40466 published to NVD
- April 27, 2026 - Last updated in NVD database
Technical Details for CVE-2026-40466
Vulnerability Analysis
This vulnerability represents a sophisticated bypass of security controls implemented in CVE-2026-34197. The attack chain involves multiple components working in concert to achieve code execution on the target system.
The vulnerability exists because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration. This ordering issue creates a window where malicious bean definitions can be processed and executed prior to any security validation taking place. An attacker leveraging this weakness can execute arbitrary code through Java's Runtime.exec() method or similar bean factory methods.
The attack requires authentication to the Jolokia interface and the presence of the activemq-http module on the classpath, making it an authenticated remote code execution vulnerability that affects enterprise deployments where Jolokia management is exposed.
Root Cause
The root cause of this vulnerability lies in improper input validation and a security control bypass in the connector addition functionality. When an HTTP Discovery transport is specified, the system fails to properly validate that the returned transport configuration from the HTTP endpoint is safe. The HTTP endpoint can return a VM transport URI containing a brokerConfig parameter pointing to a remote Spring XML configuration file.
The fundamental flaw is the order of operations: Spring's bean instantiation occurs before the BrokerService can validate the loaded configuration, allowing malicious beans to execute before any security checks can intervene. This represents a classic time-of-check-time-of-use (TOCTOU) style vulnerability in the configuration loading process.
Attack Vector
The attack leverages network-accessible Jolokia endpoints to inject malicious connector configurations. The attack flow proceeds as follows:
- An authenticated attacker accesses the Jolokia management interface
- The attacker calls BrokerView.addNetworkConnector or BrokerView.addConnector with an HTTP Discovery transport URI
- The HTTP endpoint under attacker control returns a VM transport URI containing a malicious brokerConfig parameter
- The brokerConfig parameter references a remote Spring XML application context
- When ResourceXmlApplicationContext processes this configuration, it instantiates all singleton beans
- Malicious bean definitions in the XML trigger code execution via methods like Runtime.exec() before validation occurs
The attack requires low privileges (authenticated access to Jolokia) and no user interaction, making it highly exploitable in environments where Jolokia management interfaces are accessible. For detailed technical information, refer to the Apache ActiveMQ Security Advisory.
Detection Methods for CVE-2026-40466
Indicators of Compromise
- Unexpected network connections from the ActiveMQ broker to external HTTP endpoints
- Jolokia API calls to BrokerView.addNetworkConnector or BrokerView.addConnector with HTTP Discovery transport URIs
- Loading of remote Spring XML configuration files from untrusted sources
- Suspicious process spawning from the ActiveMQ JVM process, particularly cmd.exe or /bin/sh invocations
- Unexpected outbound connections on HTTP/HTTPS ports from the broker to unfamiliar destinations
Detection Strategies
- Monitor Jolokia API access logs for calls to addNetworkConnector and addConnector methods with HTTP transport parameters
- Implement network segmentation monitoring to detect unusual egress traffic from ActiveMQ broker hosts
- Deploy JVM-level monitoring to detect suspicious Runtime.exec() invocations or unexpected child process creation
- Review ActiveMQ broker logs for connector additions referencing HTTP Discovery transports or external VM transport configurations
Monitoring Recommendations
- Enable detailed audit logging for all Jolokia management interface operations
- Configure network monitoring to alert on HTTP/HTTPS connections originating from ActiveMQ broker processes to external destinations
- Implement file integrity monitoring for ActiveMQ configuration directories to detect unauthorized configuration changes
- Deploy endpoint detection and response (EDR) solutions to monitor JVM process behavior and detect anomalous code execution patterns
How to Mitigate CVE-2026-40466
Immediate Actions Required
- Upgrade Apache ActiveMQ to version 5.19.6 or 6.2.5 immediately to address this vulnerability
- Restrict access to the Jolokia management interface to trusted administrators only using network-level controls
- Review existing connector configurations for any suspicious HTTP Discovery transport entries
- Remove the activemq-http module from the classpath if HTTP transport functionality is not required
- Implement network segmentation to prevent the ActiveMQ broker from making outbound HTTP connections to untrusted endpoints
Patch Information
Apache has released patched versions that address this vulnerability. Users are recommended to upgrade to version 5.19.6 (for the 5.x branch) or 6.2.5 (for the 6.x branch). These versions include enhanced validation that prevents the HTTP Discovery transport bypass attack vector.
For additional information, review the Apache ActiveMQ Security Advisory.
Workarounds
- Disable or restrict access to the Jolokia management interface at the network level using firewall rules
- Remove the activemq-http module from the classpath if HTTP transport functionality is not required for operations
- Implement egress filtering to prevent the ActiveMQ broker from connecting to external HTTP endpoints
- Configure Jolokia with strict authentication requirements and limit access to only required management operations
# Example: Restrict Jolokia access via network firewall
# Block external access to Jolokia port (typically 8161)
iptables -A INPUT -p tcp --dport 8161 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 8161 -j DROP
# Example: Remove activemq-http module if not needed
# Navigate to ActiveMQ lib directory and remove HTTP transport JARs
cd $ACTIVEMQ_HOME/lib/optional
mv activemq-http-*.jar /backup/location/
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
