CVE-2026-50750
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk49th percentile — higher than 49% of all known CVEs
Summary
A vulnerability in Apache ActiveMQ allows an unauthenticated attacker to cause Out of Memory (OOM) by sending repeated BrokerInfo commands without ConnectionInfo, leading to broker crash.
Risk Assessment
The attack can cause a Denial of Service (DoS) by crashing the broker, impacting the availability of systems relying on ActiveMQ.
Recommendation
Upgrade Apache ActiveMQ to version 6.2.7 (or 5.19.8 for the older line) immediately, which contains the fix for this vulnerability.
Original NVD description (English source)
Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All. Following the fix for CVE-2026-49270 an unauthenticated attacker can now cause broker OOM by sending an repeated BrokerInfo commands without sending a ConnectionInfo, until the broker will crash with OOM. This issue affects Apache ActiveMQ Broker: from 5.19.7 before 5.19.8, from 6.2.6 before 6.2.7; Apache ActiveMQ: from 5.19.7 before 5.19.8, from 6.2.6 before 6.2.7; Apache ActiveMQ All: from 5.19.7 before 5.19.8, from 6.2.6 before 6.2.7. Users are recommended to upgrade to version 6.2.7, which fixes the issue.

