Synopsis
The remote host is running a web application that is affected by multiple vulnerabilities.
Description
The version of Apache ActiveMQ running on the remote host is prior to 5.19.8 or 6.x prior to 6.2.7. It is, therefore, affected by multiple vulnerabilities:
- Improper Input Validation vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Stomp. A remote unauthenticated peer that can reach an exposed STOMP connector can trigger denial-of-service behavior by sending a negative content-length. For the NIO STOMP transport, an attacker can keep streaming body bytes and grow the per-connection command buffer beyond configured limits to cause OOM. For the blocking STOMP protocol, an error will instead force abnormal transport exception handling for the affected connection and closure. (CVE-2026-49432)
- Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ Client, Apache ActiveMQ, Apache ActiveMQ All. An unauthenticated network attacker can cause a broker DoS by sending a crafted WireFormatInfo frame with a malicious large size value. The value is not validated and causes the broker to attempt allocation during pre-auth negotiation which can trigger OOM and crash the broker. (CVE-2026-50734)
- Improper Authorization vulnerability in Apache ActiveMQ. An authenticated low-privilege Web Console user by default can access /admin/* paths in the Web Console. The default Jetty settings incorrectly did not limit those paths to only admins. (CVE-2026-49877)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Upgrade to Apache ActiveMQ version 5.19.8, 6.2.7, or later.
Plugin Details
File Name: activemq_6_2_7.nasl
Agent: unix
Configuration: Enable thorough checks (optional)
Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Tenable Cloud Security, Tenable Self-Hosted Container Security, Nessus
Enable CGI Scanning: true
Risk Information
Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:N
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Vulnerability Information
CPE: cpe:/a:apache:activemq
Required KB Items: installed_sw/Apache ActiveMQ
Patch Publication Date: 6/29/2026
Vulnerability Publication Date: 6/29/2026