CVE-2026-41044

Improper Input Validation, Improper Control of Generation of Code (&amp;#39;Code Injection&amp;#39;) vulnerability in Apache ActiveMQ, Apache ActiveMQ Broker, Apache ActiveMQ All.<br /> <br /> An authenticated attacker can use the admin web console page to construct a malicious broker name that bypasses name validation to include an xbean binding that can be later used by a VM transport to load a remote Spring XML application.<br /> The attacker can then use the DestinationView mbean to send a message to trigger a VM transport creation that will reference this malicious broker name which can lead to loading the malicious Spring XML context file.<br /> <br /> <br /> Because Spring&amp;#39;s ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker&amp;#39;s JVM through bean factory methods such as Runtime.exec().<br /> <br /> This issue affects Apache ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ Broker: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ All: before 5.19.6, from 6.0.0 before 6.2.5.<br /> <br /> Users are recommended to upgrade to version 6.2.5 or 5.19.6, which fixes the issue.