ActiveMQ

vactivemq-6.2.6 scope: activemq Security

This release patches 8 CVEs for security teams tracking exposure across their dependency inventory.

Published 7d Streaming & Message Queues

View tool

8 patched CVEs

Read the diff → Tool health → What is this tool? →

This release patches 8 known CVEs CVE-2016-3088 EPSS 94% CVE-2016-4437 EPSS 94% CVE-2021-39144 EPSS 94% + 5 more

8 CVEs patched

Topics

activemq amqp amqps apache broker java

+5 more

jms messaging mqtt openwire stomp

Affected surfaces

auth rbac rce_ssrf

ReleasePort's take

Moderate signal

editorial:auto 3d

Version 6.2.6 removes java.lang from the default serialization whitelist and hardens web console/Jolokia access by default.

Why it matters: Affects any application that relies on serializing java.lang classes or accessing unauthenticated console endpoints; enforce updated security settings before deployment.

Summary

AI summary

Remove java.lang as a default allowed serializable package, harden web console and Jolokia access by default.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	Critical	Bump dependencies for CVE fixes on 6.2.x branch. Bump dependencies for CVE fixes on 6.2.x branch. Source: llm_adapter@2026-05-31 Confidence: high	—
Security	High	Harden default broker and web console configuration. Harden default broker and web console configuration. Source: llm_adapter@2026-05-31 Confidence: high	—
Security	High	Harden web console and Jolokia access by default. Harden web console and Jolokia access by default. Source: llm_adapter@2026-05-31 Confidence: high	—
Feature	Low	Disable the message servlet by default. Disable the message servlet by default. Source: llm_adapter@2026-05-31 Confidence: high	—
Feature	Low	Block XBeanBrokerFactory by default inside VMTransportFactory. Block XBeanBrokerFactory by default inside VMTransportFactory. Source: llm_adapter@2026-05-31 Confidence: high	—
Dependency	High	Bump log4j version from 2.25.3 to 2.25.4. Bump log4j version from 2.25.3 to 2.25.4. Source: llm_adapter@2026-05-31 Confidence: high	—
Dependency	High	Bump shiro version from 2.1.0 to 2.2.0. Bump shiro version from 2.1.0 to 2.2.0. Source: llm_adapter@2026-05-31 Confidence: high	—
Deprecation	Medium	Remove "java.lang" package as a default allowed serializable package. Remove "java.lang" package as a default allowed serializable package. Source: llm_adapter@2026-05-31 Confidence: high	—
Bugfix	Medium	Handle validation for Composite URIs without parentheses. Handle validation for Composite URIs without parentheses. Source: llm_adapter@2026-05-31 Confidence: high	—
Bugfix	Medium	Fix authorization check on removeDestination operation. Fix authorization check on removeDestination operation. Source: llm_adapter@2026-05-31 Confidence: low	—

Full changelog

What's Changed

Bump to 6.2.6-SNAPSHOT by @jbonofre in https://github.com/apache/activemq/pull/1961
[6.2.x] Add more transport types to the denied list for JMX part 2 (#1972) by @cshannon in https://github.com/apache/activemq/pull/1973
Execute CI on activemq-5.19.x and activemq-6.2.x branches (6.2.x) by @jbonofre in https://github.com/apache/activemq/pull/1958
build(deps): bump log4j-version from 2.25.3 to 2.25.4 by @robertregina59 in https://github.com/apache/activemq/pull/1993
[6.2.x] Block the XBeanBrokerFactory by default inside VMTransportFactory (#2003) by @cshannon in https://github.com/apache/activemq/pull/2010
[6.2.x] Handle validation for Composite URIs without parens (#2004) by @cshannon in https://github.com/apache/activemq/pull/2012
[6.2.x] Disable the message servlet by default (#2000) by @cshannon in https://github.com/apache/activemq/pull/2014
[#2005] 6.2.x - Fix authorization check on removeDestination by @mattrpav in https://github.com/apache/activemq/pull/2009
[6.2.x] Remove "java.lang" package as a default allowed serializable package (#2026) by @cshannon in https://github.com/apache/activemq/pull/2027
Bump dependencies for CVE fixes on 6.2.x by @jbonofre in https://github.com/apache/activemq/pull/2030
Harden default broker and web console configuration (6.2.x backport) by @jbonofre in https://github.com/apache/activemq/pull/2035
build(deps): bump shiro-version from 2.1.0 to 2.2.0 (6.2.x backport) by @jbonofre in https://github.com/apache/activemq/pull/2041
[6.2.x] Harden web console and Jolokia access by default (#2025) by @jbonofre in https://github.com/apache/activemq/pull/2037
[6.2.x] Backport network flaky test improvements by @cshannon in https://github.com/apache/activemq/pull/2045
[6.2.x] Ensure connection info is processed before durable sync by @cshannon in https://github.com/apache/activemq/pull/2048

New Contributors

@robertregina59 made their first contribution in https://github.com/apache/activemq/pull/1993

Full Changelog: https://github.com/apache/activemq/compare/activemq-6.2.5...activemq-6.2.6

Breaking Changes

Remove "java.lang" package as a default allowed serializable package (#2026)
Disable the message servlet by default (#2000)
Block the XBeanBrokerFactory by default inside VMTransportFactory (#2003)

Security Fixes

Harden web console and Jolokia access by default (6.2.x backport #2025)
Bump dependencies for CVE fixes on 6.2.x

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track ActiveMQ

Get notified when new releases ship.

About ActiveMQ

Apache ActiveMQ

All releases →

Related context

Related tools

Related CVEs

CVE-2016-3088 NVD KEV EPSS
CVE-2016-4437 NVD KEV EPSS
CVE-2021-39144 NVD KEV EPSS
CVE-2021-44228 NVD KEV EPSS
CVE-2021-45046 NVD KEV EPSS
CVE-2022-22965 NVD KEV EPSS
CVE-2023-46604 NVD KEV EPSS
CVE-2026-34197 NVD KEV EPSS