CVE-2026-41043 Overview
A Cross-Site Scripting (XSS) vulnerability has been identified in Apache ActiveMQ and Apache ActiveMQ Web. The flaw stems from improper neutralization of script-related HTML tags in the web console interface. An authenticated attacker can exploit this vulnerability to display malicious content when users browse queues in the web console by overriding the content type from XML to HTML and injecting HTML code into a JMS selector field.
Critical Impact
Authenticated attackers can inject malicious HTML content into the ActiveMQ web console, potentially leading to session hijacking, credential theft, or phishing attacks against other authenticated users browsing message queues.
Affected Products
- Apache ActiveMQ versions before 5.19.6
- Apache ActiveMQ versions from 6.0.0 before 6.2.5
- Apache ActiveMQ Web versions before 5.19.6 and from 6.0.0 before 6.2.5
Discovery Timeline
- 2026-04-24 - CVE-2026-41043 published to NVD
- 2026-04-27 - Last updated in NVD database
Technical Details for CVE-2026-41043
Vulnerability Analysis
This vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting. The flaw exists within the queue browsing functionality of the Apache ActiveMQ web console. When users interact with queues through the web interface, the application fails to properly sanitize user-controllable input in the JMS selector field, allowing malicious HTML and JavaScript to be rendered in the browser context of other authenticated users.
The attack requires authentication to the ActiveMQ web console, limiting the initial attack surface. However, once an attacker has valid credentials, they can leverage this vulnerability to target other administrators or users who browse the affected queues.
Root Cause
The root cause lies in insufficient input validation and output encoding within the web console's queue browsing functionality. When the application renders queue contents, it allows the content type to be overridden from XML to HTML without proper sanitization of the JMS selector field values. This permits injection of arbitrary HTML markup including script tags that execute in the victim's browser session.
Attack Vector
The attack is network-based and requires the following conditions:
- The attacker must have valid authentication credentials to the ActiveMQ web console
- The attacker crafts a malicious JMS selector containing HTML/JavaScript payloads
- The attacker manipulates the content type header to render the response as HTML instead of XML
- When a victim user browses the affected queue through the web console, the injected payload executes in their browser context
This XSS attack can be leveraged for session hijacking, stealing authentication cookies, performing actions on behalf of the victim user, or redirecting users to malicious external sites.
Detection Methods for CVE-2026-41043
Indicators of Compromise
- Unusual JMS selector values containing HTML tags or JavaScript code in message queue configurations
- Web console access logs showing requests with manipulated content-type headers
- Unexpected changes to queue selector configurations by authenticated users
- Browser-based alerts or behaviors reported by users browsing the ActiveMQ web console
Detection Strategies
- Monitor Apache ActiveMQ web console logs for requests containing HTML tags or script elements in JMS selector parameters
- Implement web application firewall (WAF) rules to detect and block XSS payloads targeting the ActiveMQ web console
- Review authentication logs for suspicious patterns of access to queue browsing endpoints
- Deploy browser-based XSS detection mechanisms for administrative interfaces
Monitoring Recommendations
- Enable verbose logging on the ActiveMQ web console to capture request parameters and content-type modifications
- Configure security information and event management (SIEM) alerts for patterns indicative of XSS attempts
- Regularly audit JMS selector configurations for unauthorized or suspicious content
- Monitor for anomalous user behavior in the web console, particularly around queue browsing activities
How to Mitigate CVE-2026-41043
Immediate Actions Required
- Upgrade Apache ActiveMQ to version 6.2.5 or 5.19.6 immediately
- Restrict access to the ActiveMQ web console to trusted networks and administrators only
- Review existing JMS selector configurations for any suspicious HTML or script content
- Implement additional authentication controls such as multi-factor authentication for web console access
- Consider temporarily disabling web console access if upgrading is not immediately possible
Patch Information
Apache has released patched versions that address this vulnerability. Users should upgrade to version 6.2.5 or 5.19.6 depending on their current deployment branch. The fix properly sanitizes JMS selector input and prevents content-type manipulation that enables HTML injection.
For detailed patch information, refer to the Apache ActiveMQ Security Advisory.
Workarounds
- Restrict access to the ActiveMQ web console by configuring firewall rules to allow connections only from trusted IP addresses
- Implement a reverse proxy with XSS filtering capabilities in front of the ActiveMQ web console
- Disable the web console entirely if it is not required for operational purposes
- Apply network segmentation to limit exposure of the ActiveMQ management interface
- Use Content Security Policy (CSP) headers at the reverse proxy level to mitigate script execution risks
# Example: Restrict web console access via iptables
# Only allow management access from specific trusted subnet
iptables -A INPUT -p tcp --dport 8161 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8161 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
