Forwarded from the National Cybersecurity Information Sharing and Analysis Center: Cybersecurity Alert NISAC-200-202605-00000002

[Content Description]
Researchers have discovered two high-risk security vulnerabilities (CVE-2026-40466 and CVE-2026-41044) in Apache ActiveMQ. These vulnerabilities include Improper Input Validation and Code Injection. Authenticated remote attackers could exploit these vulnerabilities to load malicious configuration files into ActiveMQ, thereby executing arbitrary code. Please confirm and patch these vulnerabilities as soon as possible.

[Affected Platforms]
Apache ActiveMQ Broker versions prior to 5.19.6
Apache ActiveMQ Broker versions 6.0.0 to 6.2.5 (excluding 6.2.5)
Apache ActiveMQ All versions prior to 5.19.6 (excluding 6.19.6)
Apache ActiveMQ All versions 6.0.0 to 6.2.5 (excluding 6.2.5)
Apache ActiveMQ versions prior to 5.19.6 (excluding 6.19.6)
Apache ActiveMQ versions 6.0.0 to 6.2.5 (excluding 6.2.5)

[Recommended Actions]
The official patch has been released. Please refer to the official instructions for updating. The URLs are as follows:
https://activemq.apache.org/security-advisories.data/CVE-2026-40466-announcement.txt
https://activemq.apache.org/security-advisories.data/CVE-2026-41044-announcement.txt

[References]
1. https://nvd.nist.gov/vuln/detail/CVE-2026-40466
2. https://nvd.nist.gov/vuln/detail/CVE-2026-41044
3. https://activemq.apache.org/security-advisories.data/CVE-2026-40466-announcement.txt
4. https://activemq.apache.org/security-advisories.data/CVE-2026-41044-announcement.txt