Description

Improper validation and restriction of a classpath path name vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All. In two instances (when creating a Stomp consumer and also browsing messages in the Web console) an authenticated user provided "key" value could be constructed to traverse the classpath due to path concatenation. As a result, the application is exposed to a classpath path resource loading vulnerability that could potentially be chained together with another attack to lead to exploit.This issue affects Apache ActiveMQ Client: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ Broker: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ All: before 5.19.3, from 6.0.0 before 6.2.2. Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue. Note: 5.19.3 and 6.2.2 also fix this issue, but that is limited to non-Windows environments due to a path separator resolution bug fixed in 5.19.4 and 6.2.3.

INFO

Published Date :

2026-04-07T07:50:58.897Z

Last Modified :

2026-04-07T14:05:29.211Z

Source :

apache
AFFECTED PRODUCTS

The following products are affected by CVE-2026-33227 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-33227.

URL Resource
http://www.openwall.com/lists/oss-security/2026/04/06/4 cve-icon cve-icon
https://activemq.apache.org/security-advisories.data/CVE-2026-33227-announcement.txt cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2026-33227 cve-icon
https://www.cve.org/CVERecord?id=CVE-2026-33227 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact