CVE-2026-49432 in ActiveMQ
Summary
by MITRE • 06/30/2026
Improper Input Validation vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Stomp.
A remote unauthenticated peer that can reach an exposed STOMP connector can trigger denial-of-service behavior by sending a negative content-length. For the NIO STOMP transport, an attacker can keep streaming body bytes and grow the per-connection command buffer beyond configured limits to cause OOM. For the blocking STOMP protocol, an error will instead force abnormal transport exception handling for the affected connection and closure. This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ Stomp: before 5.19.8, from 6.0.0 before 6.2.7.
Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 06/30/2026
The vulnerability under discussion represents a critical improper input validation flaw affecting Apache ActiveMQ implementations across multiple versions and components including ActiveMQ All and ActiveMQ Stomp. This security weakness manifests through a specific denial-of-service attack vector that exploits the STOMP (Simple Text Oriented Messaging Protocol) connector exposed to remote attackers. The issue stems from inadequate validation of content-length parameters within the STOMP protocol handling mechanisms, creating opportunities for malicious actors to manipulate connection states and disrupt service availability.
The technical exploitation occurs when an unauthenticated remote peer accesses an exposed STOMP connector and sends specially crafted negative content-length values. This manipulation triggers distinct behavioral patterns depending on the underlying transport mechanism employed by ActiveMQ. In NIO (Non-blocking I/O) STOMP transport configurations, attackers can sustain continuous streaming of body bytes that progressively expand the per-connection command buffer beyond system-defined limits, ultimately leading to out-of-memory conditions that cause system crashes or resource exhaustion. The blocking STOMP protocol exhibits different behavior where the malformed content-length triggers abnormal transport exception handling, resulting in forced connection closure and service disruption.
This vulnerability directly maps to CWE-20, Improper Input Validation, a fundamental weakness class that encompasses insufficient validation of input parameters, particularly affecting network protocols and messaging systems. The attack pattern aligns with ATT&CK technique T1499.004, "Endpoint Denial of Service," specifically targeting service availability through resource exhaustion. The flaw demonstrates how protocol-level input handling deficiencies can be leveraged to create cascading failures in enterprise messaging infrastructure, particularly affecting systems that rely on STOMP for message broker communications.
The impact spans across multiple Apache ActiveMQ product lines and version ranges, with affected versions including all releases before 5.19.8 and versions from 6.0.0 through 6.2.6 in the 6.x series. This widespread exposure affects not only standalone ActiveMQ installations but also those using the ActiveMQ All distribution package and dedicated ActiveMQ Stomp components, indicating a systemic vulnerability within the messaging framework's STOMP protocol implementation. The issue represents a significant risk to organizations relying on these messaging systems for critical business operations, as it can be exploited without authentication credentials and requires minimal network access to execute successfully.
Organizations should prioritize immediate remediation by upgrading to versions 6.2.7 or 5.19.8, which contain the necessary patches to address the improper input validation issues. These releases implement enhanced content-length validation mechanisms that prevent the exploitation patterns described in the vulnerability. Security teams should also consider implementing network-level mitigations such as firewall rules restricting access to STOMP ports and monitoring for anomalous connection behavior patterns. The fix addresses both the memory exhaustion scenario in NIO transports and the abnormal exception handling in blocking protocols, providing comprehensive protection across all affected configurations.