CVE-2026-33227

{"id": "CVE-2026-33227", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2026-04-07T09:16:20.750", "references": [{"url": "https://activemq.apache.org/security-advisories.data/CVE-2026-33227-announcement.txt", "tags": ["Vendor Advisory"], "source": "security@apache.org"}, {"url": "http://www.openwall.com/lists/oss-security/2026/04/06/4", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "Improper validation and restriction of a classpath path name vulnerability in \n\n Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ Web, Apache ActiveMQ.\n\n\n\nIn two instances (when creating a Stomp consumer and also browsing messages in the Web console) an authenticated user provided \"key\" value could be constructed to traverse the classpath due to path concatenation. As a result, the application is exposed to a classpath path resource loading vulnerability that could potentially be chained together with another attack to lead to exploit.\n\n\n\n\n\nThis issue affects Apache ActiveMQ Client: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ Broker: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ All: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ Web: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ: before 5.19.3, from 6.0.0 before 6.2.2.\n\nUsers are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue. Note: 5.19.3 and 6.2.2 also fix this issue, but that is limited to non-Windows environments due to a path separator resolution bug fixed in 5.19.4 and 6.2.3."}], "lastModified": "2026-04-20T16:50:36.487", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7442A37C-AACC-4BF1-8AB7-1B4FBDE44CB4", "versionEndExcluding": "5.19.3"}, {"criteria": "cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "313BB84A-138D-43C8-B265-F789A4BED361", "versionEndExcluding": "6.2.2", "versionStartIncluding": "6.0.0"}, {"criteria": "cpe:2.3:a:apache:activemq_broker:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B4342B2A-3F2C-4016-87FB-66D69685FEA0", "versionEndExcluding": "5.19.3"}, {"criteria": "cpe:2.3:a:apache:activemq_broker:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "97120890-1D2D-4021-BF6D-362CEB57E13B", "versionEndExcluding": "6.2.2", "versionStartIncluding": "6.0.0"}, {"criteria": "cpe:2.3:a:apache:activemq_web:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0489A0FD-BF30-47A7-8AB7-19260119ABF1", "versionEndExcluding": "5.19.3"}, {"criteria": "cpe:2.3:a:apache:activemq_web:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EF252D19-2B2F-41ED-A2D6-1C4AC2CDCF37", "versionEndExcluding": "6.2.2", "versionStartIncluding": "6.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}