CVE-2026-42253 Overview
CVE-2026-42253 is a Cross-Site Scripting (XSS) vulnerability affecting Apache ActiveMQ and Apache ActiveMQ Web. The MessageServlet in the ActiveMQ web console API copies every Java Message Service (JMS) message property into an HTTP response header without validation. Attackers can inject or overwrite security headers by setting them on JMS messages returned by the servlet. The flaw is tracked under [CWE-79] and carries a CVSS score of 6.1. Affected versions include Apache ActiveMQ and ActiveMQ Web before 5.19.7, and from 6.0.0 before 6.2.6. The Apache Software Foundation has released fixed builds and deprecated the MessageServlet, which is now disabled by default.
Critical Impact
Attackers can inject arbitrary HTTP response headers through JMS message properties, enabling header-based XSS, security header overwrites, and downstream client-side attacks against ActiveMQ web console users.
Affected Products
- Apache ActiveMQ versions before 5.19.7
- Apache ActiveMQ versions from 6.0.0 before 6.2.6
- Apache ActiveMQ Web versions before 5.19.7 and from 6.0.0 before 6.2.6
Discovery Timeline
- 2026-06-01 - CVE-2026-42253 published to the National Vulnerability Database (NVD)
- 2026-06-01 - Last updated in NVD database
Technical Details for CVE-2026-42253
Vulnerability Analysis
The vulnerability resides in the MessageServlet component of the Apache ActiveMQ web console API. When a client requests a queued message through the servlet, the servlet enumerates each JMS message property and writes it directly into the HTTP response as a header. No validation, encoding, or allowlist filtering is applied to the property name or value.
An attacker who can publish JMS messages to a broker can craft property names that the servlet interprets as separate HTTP headers. This allows the attacker to inject security headers such as Content-Security-Policy, X-Frame-Options, or Set-Cookie, or to overwrite existing ones the servlet would normally emit. Because the injected content reaches the browser as part of a response served by the web console, it produces a stored XSS condition through HTTP header injection.
User interaction is required: a victim must load the affected web console endpoint after the malicious message has been queued. Successful exploitation can weaken browser-side protections, perform session-related attacks, or pivot to other web console functionality.
Root Cause
The root cause is improper neutralization of input during web page generation. The MessageServlet trusts JMS message properties as a safe data source and forwards them into the response header stream. JMS properties are attacker-controllable in any deployment where producers are not strictly trusted, so the lack of header name and value sanitization creates a direct injection sink.
Attack Vector
The attack is network-based with low complexity and no privileges required, but it does require user interaction from a victim who accesses the web console. An attacker submits a JMS message containing property names and values designed to break out of the expected header context. When an administrator or operator browses to the affected MessageServlet endpoint, the broker emits attacker-controlled response headers, enabling XSS and header smuggling against the victim's browser session.
No verified public proof-of-concept code is available. Refer to the Apache Security Mailing List Thread and the OpenWall OSS-Security Discussion for technical details.
Detection Methods for CVE-2026-42253
Indicators of Compromise
- JMS messages containing property names with CRLF sequences, control characters, or HTTP header-like tokens such as Content-Security-Policy or Set-Cookie.
- HTTP responses from the ActiveMQ web console containing unexpected, duplicated, or attacker-controlled security headers.
- Web console access logs showing requests to MessageServlet endpoints followed by client-side script errors or anomalous browser behavior.
Detection Strategies
- Inspect ActiveMQ broker logs for JMS message producers setting unusual or excessively long property names on queues consumed by the web console.
- Compare emitted HTTP response headers from the web console against an expected baseline to identify injected or overwritten headers.
- Audit deployed ActiveMQ versions against the fixed releases 5.19.7 and 6.2.6 to identify exposed instances.
Monitoring Recommendations
- Forward ActiveMQ broker and web console access logs to a centralized log platform and alert on access to MessageServlet paths from non-administrative networks.
- Monitor for newly created JMS producers or unusual property-setting patterns on queues exposed via the web console.
- Track configuration drift on ActiveMQ instances to detect re-enablement of the deprecated MessageServlet.
How to Mitigate CVE-2026-42253
Immediate Actions Required
- Upgrade Apache ActiveMQ and Apache ActiveMQ Web to version 5.19.7 or 6.2.6, where the MessageServlet is deprecated and disabled by default.
- Restrict network access to the ActiveMQ web console to trusted administrative networks using firewall rules or reverse proxy controls.
- Audit JMS producer permissions and remove publishing rights from untrusted or unauthenticated identities.
Patch Information
The Apache Software Foundation released fixes in Apache ActiveMQ 5.19.7 and 6.2.6. The patched releases deprecate the MessageServlet and disable it by default. Refer to the Apache Security Mailing List Thread for the official advisory and upgrade guidance.
Workarounds
- Disable the MessageServlet in the ActiveMQ web console configuration if upgrading immediately is not feasible.
- Place the web console behind an authenticating reverse proxy that strips or validates response headers emitted by MessageServlet.
- Apply strict authentication and authorization on JMS producer connections to prevent untrusted clients from publishing messages with arbitrary properties.
# Configuration example: disable MessageServlet in jetty.xml
# Remove or comment out the servlet mapping for MessageServlet
# <servlet>
# <servlet-name>MessageServlet</servlet-name>
# <servlet-class>org.apache.activemq.web.MessageServlet</servlet-class>
# </servlet>
# After upgrading to 5.19.7 or 6.2.6, MessageServlet is disabled by default.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
