CVE-2026-50734
HighCVSS 7.5Exploitation Probability (EPSS)
Elevated risk52th percentile — higher than 52% of all known CVEs
Summary
A vulnerability in Apache ActiveMQ allows an unauthenticated attacker to remotely cause a Denial of Service (DoS) of the broker by sending a crafted WireFormatInfo frame with a maliciously large size value. The lack of validation leads to memory allocation attempts during pre-auth negotiation, potentially causing an Out-of-Memory (OOM) condition and broker crash.
Risk Assessment
An attacker can render the ActiveMQ broker unavailable, disrupting systems relying on message queuing and potentially crippling critical business processes.
Recommendation
Upgrade Apache ActiveMQ to version 5.19.8 or 6.2.7 immediately, as these versions contain the fix for this vulnerability.
Original NVD description (English source)
Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ Client, Apache ActiveMQ, Apache ActiveMQ All. An unauthenticated network attacker can cause a broker DoS by sending a crafted WireFormatInfo frame with a malicious large size value. The value is not validate and causes the broker to attempt allocation during pre-auth negotiation which can trigger OOM and crash the broker. This issue affects Apache ActiveMQ Client: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7. Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.

