Path Traversal in Apache Software Foundation Activemq

CVE-2026-33227

Improper validation and restriction of a classpath path name vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ Web, Apache ActiveMQ. In two instances (when creating a Stomp consumer…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.001 (23.1th percentile) — read the EPSS interpretation.

Affected products

Apache Software Foundation Activemq — versions 0, 6.0.0
Apache Software Foundation Activemq All — versions 0, 6.0.0
Apache Software Foundation Activemq Broker — versions 0, 6.0.0
Apache Software Foundation Activemq Client — versions 0, 6.0.0
Apache Software Foundation Activemq Web — versions 0, 6.0.0

Weakness classification (CWE)

CWE-22 — Path Traversal

References

activemq.apache.org/security-advisories.data/CVE-2026-33227-announcement.txt (vendor-advisory)