ROOT-APP-MAVEN-CVE-2026-39304 CVE-2026-39304 in io.root.org.apache.activemq:activemq-client - Patched by Root

Root has patched CVE-2026-39304 in the io.root.org.apache.activemq:activemq-client package for Root:Maven. Multiple fixed versions available...

OESA-2026-2126 activemq security update

The most popular and powerful open source messaging and Integration Patterns server. Security Fixes: 'Severity: low \n\nAffected versions:\n\n- Apache ActiveMQ Client org.apache.activemq:activemq-client before 5.19.3\n- Apache ActiveMQ Client org.apache.activemq:activemq-client 6.0.0 before...

OESA-2026-2124 activemq security update

The most popular and powerful open source messaging and Integration Patterns server. Security Fixes: 'Severity: low \n\nAffected versions:\n\n- Apache ActiveMQ Client org.apache.activemq:activemq-client before 5.19.3\n- Apache ActiveMQ Client org.apache.activemq:activemq-client 6.0.0 before...

BIT-ACTIVEMQ-2026-39304 Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Incorrect handling of TLSv1.3 KeyUpdate can be exploited to cause DoS via OOM

Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ. ActiveMQ NIO SSL transports do not correctly handle TLSv1.3 handshake KeyUpdates triggered by clients. This makes it possible for a client to rapidly trigger updates which causes...

Allocation of Resources Without Limits or Throttling

Overview org.apache.activemq:activemq-client is a high performance Apache 2.0 licensed Message Broker and JMS 1.1 implementation. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in NIO SSL transport processing. An attacker can cause the...

Apache ActiveMQ: Denial of Service via Out of Memory vulnerability

Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ. ActiveMQ NIO SSL transports do not correctly handle TLSv1.3 handshake KeyUpdates triggered by clients. This makes it possible for a client to rapidly trigger updates which causes...

be.yildiz-games:module-messaging-activemq (=2.0.0), cn.hutool.v7:hutool-extra (>=7.0.0-M2 <=7.0.0-M5) +158 more potentially affected by CVE-2026-39304 via org.apache.activemq:activemq-client (>=6.0.0 <=6.2.3)

org.apache.activemq:activemq-client MAVEN version =6.0.0, =7.0.0-M2, =1.1.0, =2.55.0, =1.0.5, =1.1.0, =1.1.0, =1.1.0, =0.2.0, =1.1.0, =7.0.0, =7.0.0, =7.0.1 and more Source cves: CVE-2026-39304 Source advisory: OSV:GHSA-5568-6QCG-G7FX...

be.yildiz-games:module-messaging-activemq (=2.0.0), cn.hutool.v7:hutool-extra (>=7.0.0-M2 <=7.0.0-M5) +158 more potentially affected by CVE-2026-39304 via org.apache.activemq:activemq-client (>=6.0.0 <=6.2.3)

org.apache.activemq:activemq-client MAVEN version =6.0.0, =7.0.0-M2, =1.1.0, =2.55.0, =1.0.5, =1.1.0, =1.1.0, =1.1.0, =0.2.0, =1.1.0, =7.0.0, =7.0.0, =7.0.1 and more Source cves: CVE-2026-39304 Source advisory: SNYK:JAVA-ORGAPACHEACTIVEMQ-15992454...

at.chrl:chrl-jms (=1.1.0), at.researchstudio.sat:won-core (>=0.2 <=0.9) +1350 more potentially affected by CVE-2026-39304 via org.apache.activemq:activemq-client (>=5.10.0 <=5.19.3)

org.apache.activemq:activemq-client MAVEN version =5.10.0, =0.2, =0.3, =0.2, =0.2, =0.3, =0.3, =0.3, =0.3, =0.3, =0.2, =0.3, =0.3, =0.6 - at.researchstudio.sat:won-owner =0.3 - at.researchstudio.sat:won-owner-webapp =0.3 and more Source cves: CVE-2026-39304 Source advisory: OSV:GHSA-5568-6QCG-G7F...

CVE-2026-39304

Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ. ActiveMQ NIO SSL transports do not correctly handle TLSv1.3 handshake KeyUpdates triggered by clients. This makes it possible for a client to rapidly trigger updates which causes...

CVE-2026-39304

Summary: CVE-2026-39304 describes a DoS via Out-of-Memory in Apache ActiveMQ components caused by TLSv1.3 KeyUpdate handling in NIO SSL transports. The broker and clients are affected for multiple versions prior to 6.2.4 or 5.19.4, with the recommended fixes being 6.2.4 or 5.19.5. The issue arise...

CVE-2026-39304 Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Incorrect handling of TLSv1.3 KeyUpdate can be exploited to cause DoS via OOM

Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ. ActiveMQ NIO SSL transports do not correctly handle TLSv1.3 handshake KeyUpdates triggered by clients. This makes it possible for a client to rapidly trigger updates which causes...

PT-2026-31892

Name of the Vulnerable Software and Affected Versions Apache ActiveMQ Client versions before 5.19.4, from 6.0.0 through 6.2.3 Apache ActiveMQ Broker versions before 5.19.4, from 6.0.0 through 6.2.3 Apache ActiveMQ versions before 5.19.4, from 6.0.0 through 6.2.3 Description A denial of service...

Linux Distros Unpatched Vulnerability : CVE-2026-39304

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ. ActiveMQ NIO SSL transports do not correct...

BIT-ACTIVEMQ-2026-33227 Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ Web, Apache ActiveMQ: Improper Limitation of a Pathname to a Restricted Classpath Directory

Improper validation and restriction of a classpath path name vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ Web, Apache ActiveMQ. In two instances when creating a Stomp consumer and also browsing messages in the Web console an authenticated...

be.yildiz-games:module-messaging-activemq (=2.0.0), cn.hutool.v7:hutool-extra (>=7.0.0-M2 <=7.0.0-M5) +157 more potentially affected by CVE-2026-33227 via org.apache.activemq:activemq-client (>=6.0.0 <=6.2.1)

org.apache.activemq:activemq-client MAVEN version =6.0.0, =7.0.0-M2, =1.1.0, =2.55.0, =1.0.5, =1.1.0, =1.1.0, =1.1.0, =0.2.0, =1.1.0, =7.0.0, =7.0.0, =7.0.1 and more Source cves: CVE-2026-33227 Source advisory: OSV:GHSA-H2H4-5M64-M273...

be.yildiz-games:module-messaging-activemq (=2.0.0), cn.hutool.v7:hutool-extra (>=7.0.0-M2 <=7.0.0-M5) +157 more potentially affected by CVE-2026-33227 via org.apache.activemq:activemq-client (>=6.0.0 <=6.2.1)

org.apache.activemq:activemq-client MAVEN version =6.0.0, =7.0.0-M2, =1.1.0, =2.55.0, =1.0.5, =1.1.0, =1.1.0, =1.1.0, =0.2.0, =1.1.0, =7.0.0, =7.0.0, =7.0.1 and more Source cves: CVE-2026-33227 Source advisory: SNYK:JAVA-ORGAPACHEACTIVEMQ-15930948...

at.chrl:chrl-jms (=1.1.0), at.researchstudio.sat:won-core (>=0.2 <=0.9) +1350 more potentially affected by CVE-2026-33227 via org.apache.activemq:activemq-client (>=5.10.0 <=5.19.2)

org.apache.activemq:activemq-client MAVEN version =5.10.0, =0.2, =0.3, =0.2, =0.2, =0.3, =0.3, =0.3, =0.3, =0.3, =0.2, =0.3, =0.3, =0.6 - at.researchstudio.sat:won-owner =0.3 - at.researchstudio.sat:won-owner-webapp =0.3 and more Source cves: CVE-2026-33227 Source advisory:...

EUVD-2026-19586

Improper validation and restriction of a classpath path name vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All. In two instances when creating a Stomp consumer and also browsing messages in the Web console an authenticated user provided "key" value could be...

Directory Traversal

Overview org.apache.activemq:activemq-client is a high performance Apache 2.0 licensed Message Broker and JMS 1.1 implementation. Affected versions of this package are vulnerable to Directory Traversal via improper validation of classpath path names in the key parameter during the creation of a...