CVE Catalog

CVE-2026-49432

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
0.84%

53th percentile — higher than 53% of all known CVEs

Summary

An improper input validation vulnerability exists in Apache ActiveMQ's STOMP protocol. A remote unauthenticated attacker can send a negative content-length header, causing denial-of-service (DoS). For NIO STOMP transport, this leads to out-of-memory (OOM), while for blocking STOMP it causes connection errors and closure.

Risk Assessment

The organization is exposed to external DoS attacks that can disrupt ActiveMQ-based systems, leading to service unavailability and potential financial losses.

Recommendation

Upgrade Apache ActiveMQ to version 5.19.8 or 6.2.7 immediately, as these versions contain the fix for this vulnerability.

Original NVD description (English source)

Improper Input Validation vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Stomp. A remote unauthenticated peer that can reach an exposed STOMP connector can trigger denial-of-service behavior by sending a negative content-length. For the NIO STOMP transport, an attacker can keep streaming body bytes and grow the per-connection command buffer beyond configured limits to cause OOM. For the blocking STOMP protocol, an error will instead force abnormal transport exception handling for the affected connection and closure. This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ Stomp: before 5.19.8, from 6.0.0 before 6.2.7. Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS