CVE-2026-33227: CWE-22 Improper input validation for resource loading in Apache Software Foundation Apache ActiveMQ Client
Improper validation and restriction of a classpath path name vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ Web, Apache ActiveMQ. In two instances (when creating a Stomp consumer and also browsing messages in the Web console) an authenticated user provided "key" value could be constructed to traverse the classpath due to path concatenation. As a result, the application is exposed to a classpath path resource loading vulnerability that could potentially be chained together with another attack to lead to exploit. This issue affects Apache ActiveMQ Client: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ Broker: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ All: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ Web: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ: before 5.19.3, from 6.0.0 before 6.2.2. Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue. Note: 5.19.3 and 6.2.2 also fix this issue, but that is limited to non-Windows environments due to a path separator resolution bug fixed in 5.19.4 and 6.2.3.
AI Analysis
Technical Summary
This vulnerability involves improper input validation (CWE-22) in Apache ActiveMQ Client and Broker components, where an authenticated user can supply a crafted 'key' parameter that leads to classpath traversal due to unsafe path concatenation. This affects versions before 5.19.4 and 6.2.3, with earlier partial fixes in 5.19.3 and 6.2.2 limited to non-Windows platforms. The issue is specifically triggered during Stomp consumer creation and message browsing in the Web console. The vendor recommends upgrading to 5.19.4 or 6.2.3 to fully remediate the vulnerability.
Potential Impact
An authenticated user can exploit this vulnerability to traverse the classpath, potentially accessing unintended resources. While the direct impact is resource loading exposure, the vulnerability could be combined with other exploits to achieve further compromise. No known exploits in the wild have been reported. The vulnerability affects Apache ActiveMQ Client, Broker, and All versions prior to the fixed releases.
Mitigation Recommendations
A fix is available. Users should upgrade to Apache ActiveMQ versions 5.19.4 or 6.2.3, which fully address the vulnerability including Windows path separator issues. Versions 5.19.3 and 6.2.2 partially fix the issue but do not resolve it on Windows platforms. No other mitigations are indicated by the vendor advisory.
CVE-2026-33227: CWE-22 Improper input validation for resource loading in Apache Software Foundation Apache ActiveMQ Client
Description
Improper validation and restriction of a classpath path name vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ Web, Apache ActiveMQ. In two instances (when creating a Stomp consumer and also browsing messages in the Web console) an authenticated user provided "key" value could be constructed to traverse the classpath due to path concatenation. As a result, the application is exposed to a classpath path resource loading vulnerability that could potentially be chained together with another attack to lead to exploit. This issue affects Apache ActiveMQ Client: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ Broker: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ All: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ Web: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ: before 5.19.3, from 6.0.0 before 6.2.2. Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue. Note: 5.19.3 and 6.2.2 also fix this issue, but that is limited to non-Windows environments due to a path separator resolution bug fixed in 5.19.4 and 6.2.3.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability involves improper input validation (CWE-22) in Apache ActiveMQ Client and Broker components, where an authenticated user can supply a crafted 'key' parameter that leads to classpath traversal due to unsafe path concatenation. This affects versions before 5.19.4 and 6.2.3, with earlier partial fixes in 5.19.3 and 6.2.2 limited to non-Windows platforms. The issue is specifically triggered during Stomp consumer creation and message browsing in the Web console. The vendor recommends upgrading to 5.19.4 or 6.2.3 to fully remediate the vulnerability.
Potential Impact
An authenticated user can exploit this vulnerability to traverse the classpath, potentially accessing unintended resources. While the direct impact is resource loading exposure, the vulnerability could be combined with other exploits to achieve further compromise. No known exploits in the wild have been reported. The vulnerability affects Apache ActiveMQ Client, Broker, and All versions prior to the fixed releases.
Mitigation Recommendations
A fix is available. Users should upgrade to Apache ActiveMQ versions 5.19.4 or 6.2.3, which fully address the vulnerability including Windows path separator issues. Versions 5.19.3 and 6.2.2 partially fix the issue but do not resolve it on Windows platforms. No other mitigations are indicated by the vendor advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2026-03-18T00:08:09.668Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d4bd49aaed68159afc7f6a
Added to database: 4/7/2026, 8:16:09 AM
Last enriched: 4/7/2026, 8:31:15 AM
Last updated: 4/9/2026, 6:23:45 AM
Views: 32
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.