CVE-2026-45505 - Apache ActiveMQ Jolokia discovery wrapper bypass

Apache ActiveMQ Classic published a follow-up advisory for a Jolokia/JMX remote-code-execution class that earlier patches did not fully close. The issue is a bypass of the CVE-2026-34197 fix: non-parenthesized discovery wrappers such as masterslave: and static: can pass validation and reach broker-management methods exposed through the web console’s /api/jolokia/ bridge.

The important operational detail is that patching only to the original CVE-2026-34197 fixed lines is not enough. Repositories should upgrade ActiveMQ Classic to 5.19.7+ or 6.2.6+, then confirm Jolokia broker-management operations are not reachable by non-admin web users or untrusted networks.

When to use it

Use this recipe when a repository, broker image, or operations platform embeds Apache ActiveMQ Classic with the web console, Jolokia, JMX, or broker management APIs enabled. It supports source-code and deployment remediation, admin-only management review, wrapper validation hardening, and evidence that discovery wrappers cannot reach dangerous broker-management methods.

Inputs

  • ActiveMQ Classic version, web console exposure, Jolokia configuration, authentication/authorization policy, broker management routes, and deployment manifests.
  • Source/config paths that validate discovery wrappers, configure Jolokia/JMX, expose /api/jolokia/, or document broker management access.
  • Regression fixtures for blocked masterslave:/static: wrapper forms, authenticated admin operations, non-admin denial, and disabled Jolokia paths.
  • Boundary evidence: reachable management endpoints, admin groups, network controls, logs, broker credentials, and rollout owner.

Affected versions

Component Vulnerable versions Fixed versions
org.apache.activemq:activemq-broker <5.19.7; >=6.0.0, <6.2.6 5.19.7+, 6.2.6+
org.apache.activemq:activemq-all <5.19.7; >=6.0.0, <6.2.6 5.19.7+, 6.2.6+
org.apache.activemq:apache-activemq / Classic distribution <5.19.7; >=6.0.0, <6.2.6 5.19.7+, 6.2.6+

Apache rates the advisory as important. NVD lists the related CVSS 3.1 vector as High, and the predecessor CVE-2026-34197 is in CISA KEV. Treat exposed broker web consoles and Jolokia APIs as urgent even when authentication is required.

Indicator-of-exposure

  • The repository controls an Apache ActiveMQ Classic broker, embedded broker, broker image, Helm chart, Docker Compose stack, distribution archive, Maven/Gradle dependency, or generated SBOM with an affected ActiveMQ version.
  • /api/jolokia/, the web console, remote JMX, or management endpoints are enabled in an environment reachable by users outside the broker admin team.
  • Broker web users, support users, tenant operators, CI jobs, or automation accounts can authenticate to the console without full broker-admin approval.
  • Configuration, tests, or documentation reference addNetworkConnector, addConnector, NetworkConnector, DiscoveryNetworkConnector, masterslave:, static:, brokerConfig, Jolokia exec operations, or broad org.apache.activemq:* MBean permissions.
  • An earlier remediation stopped at 5.19.4, 5.19.5, or 6.2.3 for CVE-2026-34197 and did not move to 5.19.7 or 6.2.6.

Quick checks:

rg -n "activemq|org\\.apache\\.activemq|apache-activemq|activemq-broker|activemq-all|jolokia|/api/jolokia|addNetworkConnector|addConnector|NetworkConnector|DiscoveryNetworkConnector|masterslave:|static:|brokerConfig|webconsole|jetty\\.xml|jolokia-access" .
mvn -q dependency:tree -Dincludes=org.apache.activemq
gradle dependencies --configuration runtimeClasspath | rg "activemq|jolokia"
docker compose config | rg -i "activemq|jolokia|61616|8161"

Windows:

rg -n "activemq|org\.apache\.activemq|apache-activemq|activemq-broker|activemq-all|jolokia|/api/jolokia|addNetworkConnector|addConnector|NetworkConnector|DiscoveryNetworkConnector|masterslave:|static:|brokerConfig|webconsole|jetty\.xml|jolokia-access" .
mvn -q dependency:tree -Dincludes=org.apache.activemq
gradle dependencies --configuration runtimeClasspath | rg "activemq|jolokia"
docker compose config | rg -i "activemq|jolokia|61616|8161"

Do not send crafted Jolokia exec requests to production brokers or print broker credentials, session cookies, LDAP bind passwords, keystore passwords, truststore passwords, or message payloads during triage.

Remediation strategy

  • Upgrade every repository-controlled ActiveMQ Classic dependency, image, chart, distribution, SBOM, and generated deployment artifact to 5.19.7+ or 6.2.6+.
  • If the repository previously patched CVE-2026-34197, verify the resolved version moved past the incomplete fixed lines and no base image still ships an affected broker.
  • Restrict /api/jolokia/, the web console, and remote JMX to trusted admin networks and admin-only identities. Remove or tighten broad Jolokia exec permissions where repository-owned configuration controls them.
  • Review broker automation, support tooling, and runbooks for non-admin web users that can trigger broker-management methods. Convert those workflows to least-privilege admin approval or service accounts with explicit scope.
  • If upgrade cannot deploy immediately, disable the web console/Jolokia API, block /api/jolokia/ at the reverse proxy, or restrict it to a trusted admin network until the fixed broker version is live.

The prompt

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

You are remediating CVE-2026-45505, an Apache ActiveMQ Classic Jolokia
discovery-wrapper validation bypass that can reopen the CVE-2026-34197 broker
RCE class. Produce exactly one output:

- A reviewer-ready PR/change request that upgrades ActiveMQ Classic to
  5.19.7+ or 6.2.6+, refreshes generated artifacts, restricts Jolokia and web
  console exposure, proves broker-management operations are admin-only, and
  documents operator rollout actions, or
- TRIAGE.md if this repository does not own an affected ActiveMQ Classic
  broker, image, dependency, chart, distribution, or management surface.

## Rules

- Scope only CVE-2026-45505, the directly related CVE-2026-34197 incomplete-fix
  history, and broker-management exposure through Jolokia, web console, remote
  JMX, or repository-owned ActiveMQ packaging.
- Treat broker admin credentials, web-console sessions, Jolokia cookies, LDAP
  bind passwords, JMX passwords, keystore and truststore passwords, message
  payloads, queue data, tenant identifiers, and deployment secrets as sensitive.
- Do not run exploit probes against production brokers, send crafted Jolokia
  exec requests to live services, print secret-bearing configuration values, or
  capture customer messages.
- Do not remove authentication, authorization, network restrictions, audit
  logging, broker-management tests, message-retention controls, or TLS settings
  to silence the finding.
- Do not stop at ActiveMQ `5.19.4`, `5.19.5`, or `6.2.3`; this advisory
  requires `5.19.7+` or `6.2.6+`.
- Do not auto-merge.

## Steps

1. Inventory every ActiveMQ Classic surface controlled by this repository:
   Maven and Gradle dependencies, embedded brokers, Dockerfiles, Compose files,
   Helm charts, Kubernetes manifests, base images, distribution archives,
   integration tests, generated dependency reports, SBOMs, and deployment
   documentation.
2. Determine every resolved ActiveMQ Classic version. A target is vulnerable if
   `org.apache.activemq:activemq-broker`, `activemq-all`, `apache-activemq`, or
   a Classic distribution resolves to `<5.19.7` or `>=6.0.0, <6.2.6`.
3. Search for Jolokia and broker-management exposure:
   `/api/jolokia/`, web console routes, remote JMX, `jetty.xml`,
   `jolokia-access`, `addNetworkConnector`, `addConnector`,
   `NetworkConnector`, `DiscoveryNetworkConnector`, `masterslave:`, `static:`,
   `brokerConfig`, broad `org.apache.activemq:*` MBean permissions, and
   non-admin support or automation accounts.
4. Classify exposure for each broker: local integration test only, internal
   admin network, shared corporate network, internet-facing console, embedded
   broker in an application, managed service image, or externally owned
   platform.
5. If the repository only connects to an externally owned broker, stop with
   `TRIAGE.md` listing checked files, the owning team or provider, required
   fixed versions, and the expected containment on `/api/jolokia/`.
6. Upgrade every controlled ActiveMQ Classic runtime to `5.19.7+` on the 5.x
   line or `6.2.6+` on the 6.x line. Refresh lockfiles, dependency reports,
   generated manifests, SBOMs, image references, deployment docs, and release
   artifacts.
7. Tighten repository-owned management exposure:
   - restrict `/api/jolokia/`, web console, and remote JMX to trusted admin
     networks;
   - require admin-only identities for broker-management operations;
   - remove broad Jolokia exec permissions where a narrower policy is possible;
   - reject support, tenant, CI, or automation accounts that can invoke broker
     management without explicit approval.
8. Add safe regression coverage where this repository owns tests or config:
   - dependency policy rejects affected ActiveMQ Classic versions;
   - rendered images, charts, manifests, and SBOMs name `5.19.7+` or `6.2.6+`;
   - local-only tests prove non-admin console users cannot invoke
     broker-management endpoints;
   - proxy or ingress config blocks `/api/jolokia/` from untrusted networks;
   - test logs omit credentials, cookies, message data, and tenant identifiers.
9. Add a PR body section named `CVE-2026-45505 operator actions` that states:
   - ActiveMQ Classic versions before and after;
   - whether the broker is 5.x or 6.x;
   - which broker images, charts, distributions, or embedded dependencies were
     updated;
   - whether `/api/jolokia/`, web console, or remote JMX is enabled;
   - which identities can administer broker-management operations after the
     change;
   - whether CVE-2026-34197 was previously patched to an incomplete fixed line;
   - whether any broker credentials, support accounts, or web-console sessions
     need rotation or revocation;
   - which validation commands passed.
10. If immediate upgrade is blocked, add temporary containment where this
    repository controls it: disable Jolokia/web console, block `/api/jolokia/`
    at ingress, restrict management ports to a trusted admin network, disable
    low-privilege console users, and document owner, follow-up date, and
    residual risk.
11. Run relevant validation: dependency resolution, lockfile integrity, unit
    tests, broker integration tests, config rendering, container build, Helm or
    Compose render, SBOM refresh, dependency/security scans, and deployment
    dry-run if available.
12. Use PR title:
    `fix(sec): remediate CVE-2026-45505 in ActiveMQ`.

## Stop conditions

- No repository-controlled ActiveMQ Classic broker, image, dependency, chart,
  distribution, management route, or generated artifact exists.
- The only affected broker is an externally owned managed service; document the
  owner and required fixed versions in `TRIAGE.md`.
- Upgrading requires a broker migration or platform change outside this PR's
  ownership.
- Verification would require crafted Jolokia exec requests against production,
  live broker credentials, captured customer messages, or secret-bearing
  configuration output.
- Validation fails for unrelated pre-existing reasons; document those failures
  instead of broadening scope.

Output contract

  • A reviewer-ready PR or change request that upgrades ActiveMQ Classic, restricts Jolokia, proves broker-management operations are admin-only, adds wrapper regression tests, and documents rollout.
  • Or a TRIAGE.md file that lists inspected files/config, owner, observed version, Jolokia exposure, management boundary, required fix, and residual risk.
  • The output must include exact validation commands and must not invoke destructive broker operations, print credentials, or test production brokers.

Verification - what the reviewer looks for

  • No controlled dependency, image, chart, distribution, SBOM, or generated deployment artifact resolves ActiveMQ Classic below 5.19.7 or in >=6.0.0, <6.2.6.
  • The PR explicitly handles the incomplete-fix history for CVE-2026-34197.
  • /api/jolokia/, web console, and remote JMX exposure are disabled, admin-only, or restricted to trusted admin networks.
  • Non-admin web users, support roles, CI accounts, and tenant operators cannot invoke broker-management operations.
  • Tests and validation are local or controlled; they do not send exploit-shaped Jolokia requests to production or print broker secrets.

Watch for

  • Updating Maven dependencies while Docker images, Helm values, vendor distributions, SBOMs, or integration-test fixtures still ship an affected broker.
  • Treating 5.19.4, 5.19.5, or 6.2.3 as sufficient because they addressed the predecessor CVE.
  • Leaving /api/jolokia/ authenticated but reachable by low-privilege web users or shared support accounts.
  • Assuming network containment exists without checking rendered ingress, reverse-proxy, firewall, and Kubernetes Service manifests.
  • Logging Jolokia requests, broker credentials, message samples, LDAP settings, or JMX passwords while debugging.

References