What is CVE-2026-39304?

CVE-2026-39304 is a high-severity vulnerability in Apache Activemq, classified under Uncontrolled Resource Consumption. CVSS score: 7.5/10. Published 2026-04-10.

How severe is CVE-2026-39304?

High severity. CVSS v3 base score is 7.5 out of 10.

Resource exhaustion in Apache Activemq

CVE-2026-39304

Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ. ActiveMQ NIO SSL transports do not correctly handle TLSv1.3 handshake KeyUpdates triggered by clients. This makes it pos…

Vulnerability class: DoS (Denial of Service)

EPSS: 0.001 (17.8th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.

Affected products

Apache Activemq
Apache Activemq_broker
Apache Software Foundation Activemq — versions 0, 6.0.0
Apache Software Foundation Activemq All — versions 0, 6.0.0
Apache Software Foundation Activemq Broker — versions 0, 6.0.0
Apache Software Foundation Activemq Client — versions 0, 6.0.0

Weakness classification (CWE)

CWE-400 — Uncontrolled Resource Consumption

References

security@apache.org (vendor-advisory, Vendor Advisory)
af854a3a-2127-422b-91ae-364da2661108 (Mailing List, Third Party Advisory)

Frequently asked questions

What is CVE-2026-39304?: CVE-2026-39304 is a high-severity vulnerability in Apache Activemq, classified under Uncontrolled Resource Consumption. CVSS score: 7.5/10. Published 2026-04-10.
How severe is CVE-2026-39304?: High severity. CVSS v3 base score is 7.5 out of 10.