CVE-2026-49432
HighCVSS 7.5Exploitation Probability (EPSS)
Elevated risk53th percentile — higher than 53% of all known CVEs
Summary
An improper input validation vulnerability exists in Apache ActiveMQ's STOMP protocol. A remote unauthenticated attacker can send a negative content-length header, causing denial-of-service (DoS). For NIO STOMP transport, this leads to out-of-memory (OOM), while for blocking STOMP it causes connection errors and closure.
Risk Assessment
The organization is exposed to external DoS attacks that can disrupt ActiveMQ-based systems, leading to service unavailability and potential financial losses.
Recommendation
Upgrade Apache ActiveMQ to version 5.19.8 or 6.2.7 immediately, as these versions contain the fix for this vulnerability.
Original NVD description (English source)
Improper Input Validation vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Stomp. A remote unauthenticated peer that can reach an exposed STOMP connector can trigger denial-of-service behavior by sending a negative content-length. For the NIO STOMP transport, an attacker can keep streaming body bytes and grow the per-connection command buffer beyond configured limits to cause OOM. For the blocking STOMP protocol, an error will instead force abnormal transport exception handling for the affected connection and closure. This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ Stomp: before 5.19.8, from 6.0.0 before 6.2.7. Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.

