CVE 7.5 HIGH

Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Stomp: STOMP negative content-length enables denial of service_CVE-2026-49432

7.5 / 10
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Description

Improper Input Validation vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Stomp.

A remote unauthenticated peer that can reach an exposed STOMP connector can trigger denial-of-service behavior by sending a negative content-length. For the NIO STOMP transport, an attacker can keep streaming body bytes and grow the per-connection command buffer beyond configured limits to cause OOM. For the blocking STOMP protocol, an error will instead force abnormal transport exception handling for the affected connection and closure.
This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ Stomp: before 5.19.8, from 6.0.0 before 6.2.7.




Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.

Basic Information

ID CVE-2026-49432
Source apache
Published Jun 30, 2026 at 09:54
Modified Jun 30, 2026 at 15:55

Affected Product

Vendor Apache Software Foundation
Product Apache ActiveMQ
Affected Versions Apache Software Foundation Apache ActiveMQ 0
Apache Software Foundation Apache ActiveMQ 6.0.0
Apache Software Foundation Apache ActiveMQ All 0
Apache Software Foundation Apache ActiveMQ All 6.0.0
Apache Software Foundation Apache ActiveMQ Stomp 0
Apache Software Foundation Apache ActiveMQ Stomp 6.0.0

CWE Classification

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.