CVE Catalog

CVE-2026-50750

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.71%

49th percentile — higher than 49% of all known CVEs

Summary

A vulnerability in Apache ActiveMQ allows an unauthenticated attacker to cause Out of Memory (OOM) by sending repeated BrokerInfo commands without ConnectionInfo, leading to broker crash.

Risk Assessment

The attack can cause a Denial of Service (DoS) by crashing the broker, impacting the availability of systems relying on ActiveMQ.

Recommendation

Upgrade Apache ActiveMQ to version 6.2.7 (or 5.19.8 for the older line) immediately, which contains the fix for this vulnerability.

Original NVD description (English source)

Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All. Following the fix for CVE-2026-49270 an unauthenticated attacker can now cause broker OOM by sending an repeated BrokerInfo commands without sending a ConnectionInfo, until the broker will crash with OOM. This issue affects Apache ActiveMQ Broker: from 5.19.7 before 5.19.8, from 6.2.6 before 6.2.7; Apache ActiveMQ: from 5.19.7 before 5.19.8, from 6.2.6 before 6.2.7; Apache ActiveMQ All: from 5.19.7 before 5.19.8, from 6.2.6 before 6.2.7. Users are recommended to upgrade to version 6.2.7, which fixes the issue.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS