A newly identified vulnerability in Apache ActiveMQ, known as CVE-2026-42253, has been revealed, allowing the injection of harmful HTTP security headers. This flaw arises due to improper handling of message properties, potentially leading to cross-site scripting and response manipulation in systems using Apache ActiveMQ.
Details of the Vulnerability
The issue affects both Apache ActiveMQ and its web components. The root of the problem lies in the MessageServlet of the ActiveMQ web console API, where Java Message Service (JMS) message properties are copied into HTTP response headers without adequate validation. This oversight permits attackers to craft JMS messages with malicious headers, facilitating HTTP response header injection.
HTTP headers are essential for implementing browser security features, such as Content Security Policy (CSP), X-Frame-Options, and Strict-Transport-Security (HSTS). By exploiting this vulnerability, attackers can alter or inject headers, thereby compromising these security measures.
Potential Impact and Affected Versions
If exploited, this vulnerability could enable cross-site scripting (XSS), session hijacking, or clickjacking attacks, particularly when the ActiveMQ web console is accessible to unauthorized users. The flaw affects Apache ActiveMQ versions prior to 5.19.7 and versions from 6.0.0 up to 6.2.6. Similarly, Apache ActiveMQ Web versions before 5.19.7 and 6.x versions before 6.2.6 are at risk.
The Apache Software Foundation has responded by disabling and deprecating the MessageServlet component in updated versions, reducing the vulnerability’s attack surface.
Additional Security Concerns
Another significant vulnerability, CVE-2026-49157, involves inadequate default permissions in Apache ActiveMQ. This flaw allows authenticated, low-privilege users to access Jolokia broker management endpoints due to overly permissive settings. Such users could perform sensitive operations, like creating or deleting queues, actions intended for administrators.
These vulnerabilities underscore the importance of robust input validation and access control in management interfaces, highlighting risks when these measures are insufficient.
Researchers Vishal Shukla, pyn3rd, uname, and 4ra1n identified the header injection flaw, while Leon Johnson reported the Jolokia permission issue.
Recommendations for Organizations
Organizations relying on Apache ActiveMQ should promptly upgrade to versions 5.19.7 or 6.2.6 to resolve these security issues. Administrators are also encouraged to review the exposure of the ActiveMQ web console, restrict access to trusted networks, and scrutinize message-handling procedures to prevent unsafe data propagation into HTTP responses.
Given the widespread adoption of ActiveMQ in enterprise messaging and microservices, these vulnerabilities could pose significant risks if not addressed, particularly where web console access is not securely managed.
