ActiveMQ

vactivemq-5.19.7 scope: activemq Security

This release includes 3 security fixes for security teams reviewing exposed deployments.

Published 7d Streaming & Message Queues

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 3 known CVEs

Topics

activemq amqp amqps apache broker java

+5 more

jms messaging mqtt openwire stomp

Affected surfaces

deps

ReleasePort's take

Moderate signal

editorial:auto 3d

Version 5.19.7 removes java.lang from the default serializable package list and upgrades netty, snappy, karaf to address known CVEs while hardening broker/web‑console defaults.

Why it matters: CVE severity unspecified; bumping netty, snappy, karaf addresses known vulnerabilities—critical for operators managing dependency upgrades. Harden default configurations mitigates exposure of insecure defaults.

Summary

AI summary

Removed java.lang from the default allowed serializable packages.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	Critical	Bump netty, snappy, karaf to address known CVEs Bump netty, snappy, karaf to address known CVEs Source: llm_adapter@2026-05-31 Confidence: low	—
Security	High	Harden default broker and web console configuration Harden default broker and web console configuration Source: llm_adapter@2026-05-31 Confidence: high	—
Security	High	Fix authorization check on removeDestination operation Fix authorization check on removeDestination operation Source: llm_adapter@2026-05-31 Confidence: high	—
Security	Medium	Remove "java.lang" package as a default allowed serializable package Remove "java.lang" package as a default allowed serializable package Source: granite4.1:30b@2026-05-31-audit Confidence: low	—
Feature	Low	Disable the message servlet by default Disable the message servlet by default Source: granite4.1:30b@2026-05-31-audit Confidence: low	—
Deprecation	Medium	Block the XBeanBrokerFactory by default inside VMTransportFactory Block the XBeanBrokerFactory by default inside VMTransportFactory Source: granite4.1:30b@2026-05-31-audit Confidence: low	—
Bugfix	Medium	Handle validation for Composite URIs without parens Handle validation for Composite URIs without parens Source: llm_adapter@2026-05-31 Confidence: high	—
Bugfix	Medium	Ensure connection info is processed before durable sync Ensure connection info is processed before durable sync Source: llm_adapter@2026-05-31 Confidence: high	—
Refactor	Low	Add more transport types to the denied list for JMX part 2 Add more transport types to the denied list for JMX part 2 Source: granite4.1:30b@2026-05-31-audit Confidence: low	—

Full changelog

What's Changed

Bump to 5.19.7-SNAPSHOT by @jbonofre in https://github.com/apache/activemq/pull/1962
[5.19.x] Add more transport types to the denied list for JMX part 2 (#1972) by @cshannon in https://github.com/apache/activemq/pull/1974
Execute CI on activemq-5.19.x and activemq-6.2.x branches (5.19.x) by @jbonofre in https://github.com/apache/activemq/pull/1959
[5.19.x] Block the XBeanBrokerFactory by default inside VMTransportFactory (#2003) by @cshannon in https://github.com/apache/activemq/pull/2011
[5.19.x] Handle validation for Composite URIs without parens (#2004) by @cshannon in https://github.com/apache/activemq/pull/2013
[5.19.x] Disable the message servlet by default (#2000) by @cshannon in https://github.com/apache/activemq/pull/2015
[#2005] 5.19.x - Fix authorization check on removeDestination by @mattrpav in https://github.com/apache/activemq/pull/2008
[5.19.x] Remove "java.lang" package as a default allowed serializable package (#2026) by @cshannon in https://github.com/apache/activemq/pull/2028
Bump netty, snappy, karaf to address known CVEs on activemq-5.19.x by @jbonofre in https://github.com/apache/activemq/pull/2031
Harden default broker and web console configuration (5.19.x backport) by @jbonofre in https://github.com/apache/activemq/pull/2036
[5.19.x] Harden web console and Jolokia access by default (#2025) by @jbonofre in https://github.com/apache/activemq/pull/2038
[5.19.x] Backport network flaky test improvements by @cshannon in https://github.com/apache/activemq/pull/2046
[5.19.x] Ensure connection info is processed before durable sync by @cshannon in https://github.com/apache/activemq/pull/2049

Full Changelog: https://github.com/apache/activemq/compare/activemq-5.19.6...activemq-5.19.7

Breaking Changes

Removed "java.lang" package as a default allowed serializable package

Security Fixes

Bump netty, snappy, karaf to address known CVEs
Harden web console and Jolokia access by default
Harden default broker and web console configuration (5.19.x backport)

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track ActiveMQ

Get notified when new releases ship.

About ActiveMQ

Apache ActiveMQ

All releases →