{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33227", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-03-18T00:08:09.668Z", "datePublished": "2026-04-07T07:50:58.897Z", "dateUpdated": "2026-04-08T15:44:39.427Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "org.apache.activemq:activemq-client", "product": "Apache ActiveMQ Client", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "5.19.3", "status": "affected", "version": "0", "versionType": "semver"}, {"lessThan": "6.2.2", "status": "affected", "version": "6.0.0", "versionType": "semver"}]}, {"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "org.apache.activemq:activemq-broker", "product": "Apache ActiveMQ Broker", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "5.19.3", "status": "affected", "version": "0", "versionType": "semver"}, {"lessThan": "6.2.2", "status": "affected", "version": "6.0.0", "versionType": "semver"}]}, {"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "org.apache.activemq:activemq-all", "product": "Apache ActiveMQ All", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "5.19.3", "status": "affected", "version": "0", "versionType": "semver"}, {"lessThan": "6.2.2", "status": "affected", "version": "6.0.0", "versionType": "semver"}]}, {"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "org.apache.activemq:activemq-web", "product": "Apache ActiveMQ Web", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "5.19.3", "status": "affected", "version": "0", "versionType": "semver"}, {"lessThan": "6.2.2", "status": "affected", "version": "6.0.0", "versionType": "semver"}]}, {"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "org.apache.activemq:apache-activemq", "product": "Apache ActiveMQ", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "5.19.3", "status": "affected", "version": "0", "versionType": "semver"}, {"lessThan": "6.2.2", "status": "affected", "version": "6.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Dawei Wang"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Improper validation and restriction of a classpath path name vulnerability in \n\n Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ Web, Apache ActiveMQ.\n\n<br><br>In two instances (when creating a Stomp consumer and also browsing messages in the Web console) an authenticated user provided \"key\" value could be constructed to traverse the classpath due to path concatenation. As a result, the application is exposed to a classpath path resource loading vulnerability that could potentially be chained together with another attack to lead to exploit.</p><p>\n\n</p><p>This issue affects Apache ActiveMQ Client: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ Broker: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ All: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ Web: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ: before 5.19.3, from 6.0.0 before 6.2.2.</p>Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue. Note: 5.19.3 and 6.2.2 also fix this issue, but that is limited to non-Windows environments due to a path separator resolution bug fixed in 5.19.4 and 6.2.3.<br><p></p>"}], "value": "Improper validation and restriction of a classpath path name vulnerability in \n\n Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ Web, Apache ActiveMQ.\n\n\n\nIn two instances (when creating a Stomp consumer and also browsing messages in the Web console) an authenticated user provided \"key\" value could be constructed to traverse the classpath due to path concatenation. As a result, the application is exposed to a classpath path resource loading vulnerability that could potentially be chained together with another attack to lead to exploit.\n\n\n\n\n\nThis issue affects Apache ActiveMQ Client: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ Broker: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ All: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ Web: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ: before 5.19.3, from 6.0.0 before 6.2.2.\n\nUsers are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue. Note: 5.19.3 and 6.2.2 also fix this issue, but that is limited to non-Windows environments due to a path separator resolution bug fixed in 5.19.4 and 6.2.3."}], "metrics": [{"other": {"content": {"text": "low"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22 Improper input validation for resource loading", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-08T15:44:39.427Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://activemq.apache.org/security-advisories.data/CVE-2026-33227-announcement.txt"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ Web, Apache ActiveMQ: Improper Limitation of a Pathname to a Restricted Classpath Directory", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/06/4"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-07T08:29:12.768Z"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T14:04:21.706397Z", "id": "CVE-2026-33227", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T14:05:29.211Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/06/4"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-07T08:29:12.768Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-33227", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-07T14:04:21.706397Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T14:03:27.404Z"}}], "cna": {"title": "Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ Web, Apache ActiveMQ: Improper Limitation of a Pathname to a Restricted Classpath Directory", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Dawei Wang"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "low"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache ActiveMQ Client", "versions": [{"status": "affected", "version": "0", "lessThan": "5.19.3", "versionType": "semver"}, {"status": "affected", "version": "6.0.0", "lessThan": "6.2.2", "versionType": "semver"}], "packageName": "org.apache.activemq:activemq-client", "collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected"}, {"vendor": "Apache Software Foundation", "product": "Apache ActiveMQ Broker", "versions": [{"status": "affected", "version": "0", "lessThan": "5.19.3", "versionType": "semver"}, {"status": "affected", "version": "6.0.0", "lessThan": "6.2.2", "versionType": "semver"}], "packageName": "org.apache.activemq:activemq-broker", "collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected"}, {"vendor": "Apache Software Foundation", "product": "Apache ActiveMQ All", "versions": [{"status": "affected", "version": "0", "lessThan": "5.19.3", "versionType": "semver"}, {"status": "affected", "version": "6.0.0", "lessThan": "6.2.2", "versionType": "semver"}], "packageName": "org.apache.activemq:activemq-all", "collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected"}, {"vendor": "Apache Software Foundation", "product": "Apache ActiveMQ Web", "versions": [{"status": "affected", "version": "0", "lessThan": "5.19.3", "versionType": "semver"}, {"status": "affected", "version": "6.0.0", "lessThan": "6.2.2", "versionType": "semver"}], "packageName": "org.apache.activemq:activemq-web", "collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected"}, {"vendor": "Apache Software Foundation", "product": "Apache ActiveMQ", "versions": [{"status": "affected", "version": "0", "lessThan": "5.19.3", "versionType": "semver"}, {"status": "affected", "version": "6.0.0", "lessThan": "6.2.2", "versionType": "semver"}], "packageName": "org.apache.activemq:apache-activemq", "collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected"}], "references": [{"url": "https://activemq.apache.org/security-advisories.data/CVE-2026-33227-announcement.txt", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Improper validation and restriction of a classpath path name vulnerability in \n\n Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ Web, Apache ActiveMQ.\n\n\n\nIn two instances (when creating a Stomp consumer and also browsing messages in the Web console) an authenticated user provided \"key\" value could be constructed to traverse the classpath due to path concatenation. As a result, the application is exposed to a classpath path resource loading vulnerability that could potentially be chained together with another attack to lead to exploit.\n\n\n\n\n\nThis issue affects Apache ActiveMQ Client: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ Broker: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ All: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ Web: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ: before 5.19.3, from 6.0.0 before 6.2.2.\n\nUsers are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue. Note: 5.19.3 and 6.2.2 also fix this issue, but that is limited to non-Windows environments due to a path separator resolution bug fixed in 5.19.4 and 6.2.3.", "supportingMedia": [{"type": "text/html", "value": "<p>Improper validation and restriction of a classpath path name vulnerability in \n\n Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ Web, Apache ActiveMQ.\n\n<br><br>In two instances (when creating a Stomp consumer and also browsing messages in the Web console) an authenticated user provided \"key\" value could be constructed to traverse the classpath due to path concatenation. As a result, the application is exposed to a classpath path resource loading vulnerability that could potentially be chained together with another attack to lead to exploit.</p><p>\n\n</p><p>This issue affects Apache ActiveMQ Client: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ Broker: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ All: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ Web: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ: before 5.19.3, from 6.0.0 before 6.2.2.</p>Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue. Note: 5.19.3 and 6.2.2 also fix this issue, but that is limited to non-Windows environments due to a path separator resolution bug fixed in 5.19.4 and 6.2.3.<br><p></p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper input validation for resource loading"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-08T15:44:39.427Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33227", "state": "PUBLISHED", "dateUpdated": "2026-04-08T15:44:39.427Z", "dateReserved": "2026-03-18T00:08:09.668Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2026-04-07T07:50:58.897Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*", "matchCriteriaId": "7442A37C-AACC-4BF1-8AB7-1B4FBDE44CB4", "versionEndExcluding": "5.19.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*", "matchCriteriaId": "313BB84A-138D-43C8-B265-F789A4BED361", "versionEndExcluding": "6.2.2", "versionStartIncluding": "6.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:activemq_broker:*:*:*:*:*:*:*:*", "matchCriteriaId": "B4342B2A-3F2C-4016-87FB-66D69685FEA0", "versionEndExcluding": "5.19.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:activemq_broker:*:*:*:*:*:*:*:*", "matchCriteriaId": "97120890-1D2D-4021-BF6D-362CEB57E13B", "versionEndExcluding": "6.2.2", "versionStartIncluding": "6.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:activemq_web:*:*:*:*:*:*:*:*", "matchCriteriaId": "0489A0FD-BF30-47A7-8AB7-19260119ABF1", "versionEndExcluding": "5.19.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:activemq_web:*:*:*:*:*:*:*:*", "matchCriteriaId": "EF252D19-2B2F-41ED-A2D6-1C4AC2CDCF37", "versionEndExcluding": "6.2.2", "versionStartIncluding": "6.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper validation and restriction of a classpath path name vulnerability in \n\n Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ Web, Apache ActiveMQ.\n\n\n\nIn two instances (when creating a Stomp consumer and also browsing messages in the Web console) an authenticated user provided \"key\" value could be constructed to traverse the classpath due to path concatenation. As a result, the application is exposed to a classpath path resource loading vulnerability that could potentially be chained together with another attack to lead to exploit.\n\n\n\n\n\nThis issue affects Apache ActiveMQ Client: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ Broker: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ All: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ Web: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ: before 5.19.3, from 6.0.0 before 6.2.2.\n\nUsers are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue. Note: 5.19.3 and 6.2.2 also fix this issue, but that is limited to non-Windows environments due to a path separator resolution bug fixed in 5.19.4 and 6.2.3."}], "id": "CVE-2026-33227", "lastModified": "2026-04-20T16:50:36.487", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-07T09:16:20.750", "references": [{"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "https://activemq.apache.org/security-advisories.data/CVE-2026-33227-announcement.txt"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2026/04/06/4"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security@apache.org", "type": "Secondary"}]}

{"bugzilla": {"description": "org.apache.activemq/activemq-client: org.apache.activemq/activemq-broker: org.apache.activemq/activemq-all: org.apache.activemq/activemq-web: improper limitation of a pathname to a restricted classpath directory", "id": "2455867", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455867"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-22", "details": ["A flaw was found in Apache ActiveMQ Client, Apache ActiveMQ Broker and Apache ActiveMQ All. A path traversal vulnerability, specifically an improper limitation of a pathname to a restricted directory, allows an authenticated user to manipulate input to traverse the classpath of the application, leading to an unauthorized classpath resource loading issue."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-33227", "package_state": [{"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Fix deferred", "package_name": "activemq-broker", "product_name": "Red Hat AMQ Broker 7"}, {"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Fix deferred", "package_name": "activemq-client", "product_name": "Red Hat AMQ Broker 7"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Fix deferred", "package_name": "activemq-client", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Fix deferred", "package_name": "activemq-broker", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Fix deferred", "package_name": "activemq-client", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "log4j:2/log4j", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "log4j", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Fix deferred", "package_name": "activemq-all", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Fix deferred", "package_name": "activemq-broker", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Fix deferred", "package_name": "activemq-client", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Fix deferred", "package_name": "activemq-web", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Fix deferred", "package_name": "activemq-broker", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Fix deferred", "package_name": "activemq-client", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "activemq-broker", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "activemq-client", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "activemq-broker", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "activemq-client", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}], "public_date": "2026-04-07T07:50:58Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33227\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33227\nhttp://www.openwall.com/lists/oss-security/2026/04/06/4\nhttps://activemq.apache.org/security-advisories.data/CVE-2026-33227-announcement.txt"], "statement": "To exploit this issue, an attacker must have valid credentials to create a Stomp consumer or log into the Web console. Additionally, this flaw only allows an authenticated user to read files from the classpath of the application, there is no impact to the availability or the integrity of the application. Due to these reasons, this vulnerability has been rated with a moderate severity.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.19.3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.0.0,6.2.2)"}}], "enrichment": {"confidence": 81.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 81.0, "source": "matching"}]}, "original": {"product": "Apache ActiveMQ Client", "source": "cna", "vendor": "Apache Software Foundation"}, "product": "activemq", "vendor": "apache"}], "analysis": {"en": {"generated_at": "2026-04-08T17:52:44.199580+00:00", "value": {"mitigation_remediation": ["Verify your ActiveMQ version and operating system.", "If running an affected release, upgrade to 5.19.4 or 6.2.3 (or to 5.19.3/6.2.2 on non\u2011Windows).", "After upgrading, confirm that creating a STOMP consumer and browsing messages in the Web console no longer allows path traversal."], "summary": {"action": "Immediate Patch", "impact": "Classpath traversal enabling arbitrary classpath resource loading"}, "threat_synthesis": {"affected_systems": "All major ActiveMQ components\u2014Client, Broker, All, Web, and the core product\u2014are affected in versions prior to 5.19.3 and from 6.0.0 to, but not including, 6.2.2. Users running 5.x should move to 5.19.4 or any 5.19.3 or later on non\u2011Windows systems. Users on the 6.x line should upgrade to 6.2.3 or any 6.2.2 on non\u2011Windows, as those releases patch path\u2011separator handling and classpath traversal checks.", "description_and_impact": "An authenticated user can supply a specially crafted key value when creating a STOMP consumer or browsing messages via the Web console. The application concatenates this value to a classpath path without proper validation or restriction, enabling attackers to traverse the classpath boundary. This flaw allows arbitrary classpath resources to be loaded, potentially exposing sensitive files or enabling further attacks when chained with other vulnerabilities. The weakness is identified as a Path Traversal (CWE\u201122).", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity, and the EPSS score is below 1%, with the vulnerability not listed in the CISA KEV catalog, suggesting limited likelihood of exploitation in the wild. However, because the flaw requires authentication and can expose sensitive resources, it may serve as a stepping stone for additional attacks, particularly if the application runs with elevated privileges. Exploitability depends on the environment and the privileges of the running process."}}}}, "created": "2026-04-08T19:49:54.571617+00:00", "updated": "2026-04-08T20:13:05.665925+00:00", "vendors": ["apache", "apache$PRODUCT$activemq"]}