7.5
/ 10
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Description
Improper Input Validation vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Stomp.
A remote unauthenticated peer that can reach an exposed STOMP connector can trigger denial-of-service behavior by sending a negative content-length. For the NIO STOMP transport, an attacker can keep streaming body bytes and grow the per-connection command buffer beyond configured limits to cause OOM. For the blocking STOMP protocol, an error will instead force abnormal transport exception handling for the affected connection and closure.
This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ Stomp: before 5.19.8, from 6.0.0 before 6.2.7.
Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.
A remote unauthenticated peer that can reach an exposed STOMP connector can trigger denial-of-service behavior by sending a negative content-length. For the NIO STOMP transport, an attacker can keep streaming body bytes and grow the per-connection command buffer beyond configured limits to cause OOM. For the blocking STOMP protocol, an error will instead force abnormal transport exception handling for the affected connection and closure.
This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ Stomp: before 5.19.8, from 6.0.0 before 6.2.7.
Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.
Basic Information
ID
CVE-2026-49432
Source
apache
Published
Jun 30, 2026 at 09:54
Modified
Jun 30, 2026 at 15:55
Affected Product
Vendor
Apache Software Foundation
Product
Apache ActiveMQ
Affected Versions
Apache Software Foundation Apache ActiveMQ 0
Apache Software Foundation Apache ActiveMQ 6.0.0
Apache Software Foundation Apache ActiveMQ All 0
Apache Software Foundation Apache ActiveMQ All 6.0.0
Apache Software Foundation Apache ActiveMQ Stomp 0
Apache Software Foundation Apache ActiveMQ Stomp 6.0.0
Apache Software Foundation Apache ActiveMQ 6.0.0
Apache Software Foundation Apache ActiveMQ All 0
Apache Software Foundation Apache ActiveMQ All 6.0.0
Apache Software Foundation Apache ActiveMQ Stomp 0
Apache Software Foundation Apache ActiveMQ Stomp 6.0.0