CVE-2026-33227: CWE-22 Improper input validation for resource loading in Apache Software Foundation Apache ActiveMQ Client
Improper validation and restriction of a classpath path name vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ Web, Apache ActiveMQ. In two instances (when creating a Stomp consumer and also browsing messages in the Web console) an authenticated user provided "key" value could be constructed to traverse the classpath due to path concatenation. As a result, the application is exposed to a classpath path resource loading vulnerability that could potentially be chained together with another attack to lead to exploit. This issue affects Apache ActiveMQ Client: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ Broker: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ All: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ Web: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ: before 5.19.3, from 6.0.0 before 6.2.2. Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue. Note: 5.19.3 and 6.2.2 also fix this issue, but that is limited to non-Windows environments due to a path separator resolution bug fixed in 5.19.4 and 6.2.3.
AI Analysis
Technical Summary
This vulnerability (CVE-2026-33227) in Apache ActiveMQ Client and related components arises from improper validation and restriction of classpath path names (CWE-22). Specifically, when an authenticated user provides a crafted "key" value during Stomp consumer creation or message browsing in the Web console, path concatenation allows traversal of the classpath resource loading mechanism. This can potentially be chained with other attacks. Affected versions include Apache ActiveMQ Client, Broker, All, Web, and core Apache ActiveMQ before 5.19.3 and from 6.0.0 before 6.2.2. Partial fixes in 5.19.3 and 6.2.2 do not fully address the issue on Windows due to path separator handling bugs. Complete fixes are included in versions 5.19.4 and 6.2.3.
Potential Impact
The vulnerability allows an authenticated user to perform classpath traversal via crafted input, potentially exposing internal resources or enabling further chained attacks. The CVSS score is 4.3 (medium severity), reflecting low confidentiality impact and no integrity or availability impact. There are no known exploits in the wild at this time.
Mitigation Recommendations
Users should upgrade Apache ActiveMQ components to version 5.19.4 or 6.2.3, which fully fix the vulnerability including Windows path separator issues. Versions 5.19.3 and 6.2.2 provide partial fixes limited to non-Windows environments. Patch status is confirmed by the vendor advisory embedded in the description. No other mitigations are indicated.
CVE-2026-33227: CWE-22 Improper input validation for resource loading in Apache Software Foundation Apache ActiveMQ Client
Description
Improper validation and restriction of a classpath path name vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ Web, Apache ActiveMQ. In two instances (when creating a Stomp consumer and also browsing messages in the Web console) an authenticated user provided "key" value could be constructed to traverse the classpath due to path concatenation. As a result, the application is exposed to a classpath path resource loading vulnerability that could potentially be chained together with another attack to lead to exploit. This issue affects Apache ActiveMQ Client: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ Broker: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ All: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ Web: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ: before 5.19.3, from 6.0.0 before 6.2.2. Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue. Note: 5.19.3 and 6.2.2 also fix this issue, but that is limited to non-Windows environments due to a path separator resolution bug fixed in 5.19.4 and 6.2.3.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability (CVE-2026-33227) in Apache ActiveMQ Client and related components arises from improper validation and restriction of classpath path names (CWE-22). Specifically, when an authenticated user provides a crafted "key" value during Stomp consumer creation or message browsing in the Web console, path concatenation allows traversal of the classpath resource loading mechanism. This can potentially be chained with other attacks. Affected versions include Apache ActiveMQ Client, Broker, All, Web, and core Apache ActiveMQ before 5.19.3 and from 6.0.0 before 6.2.2. Partial fixes in 5.19.3 and 6.2.2 do not fully address the issue on Windows due to path separator handling bugs. Complete fixes are included in versions 5.19.4 and 6.2.3.
Potential Impact
The vulnerability allows an authenticated user to perform classpath traversal via crafted input, potentially exposing internal resources or enabling further chained attacks. The CVSS score is 4.3 (medium severity), reflecting low confidentiality impact and no integrity or availability impact. There are no known exploits in the wild at this time.
Mitigation Recommendations
Users should upgrade Apache ActiveMQ components to version 5.19.4 or 6.2.3, which fully fix the vulnerability including Windows path separator issues. Versions 5.19.3 and 6.2.2 provide partial fixes limited to non-Windows environments. Patch status is confirmed by the vendor advisory embedded in the description. No other mitigations are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2026-03-18T00:08:09.668Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d4bd49aaed68159afc7f6a
Added to database: 4/7/2026, 8:16:09 AM
Last enriched: 4/14/2026, 3:47:26 PM
Last updated: 5/24/2026, 8:24:25 AM
Views: 126
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.