GHSA-h2h4-5m64-m273 · Severity: medium · Ecosystem: maven — Apache ActiveMQ: Improper validation and restriction of a classpath path name
Improper validation and restriction of a classpath path name vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ Web, Apache ActiveMQ. In two instances (when creating a Stomp consumer and also browsing messages in the Web console) an authenticated user provided "key" value could be constructed to traverse the classpath due to path concatenation. As a result, the application is exposed to a classpath path resource loading vulnerability that could potentially be chained together with another attack to lead to exploit. This issue affects Apache ActiveMQ Client: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ Broker: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ All: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ Web: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ: before 5.19.3, from 6.0.0 before 6.2.2. Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue. Note: 5.19.3 and 6.2.2 also fix this issue, but that is limited to non-Windows environments due to a path separator resolution bug fixed in 5.19.4 and 6.2.3.
Conclusion & alert: CVE-2026-33227 is rated Low Risk (22.6/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.05%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-04-13 | 0.04% | 0.05% | +0.01% |
| 2 | 2026-04-07 | — | 0.04% | — |
Full EPSS history (2 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 4.3 | 3.1 | MEDIUM |
|
2.8 | 1.4 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 |
GHSA-h2h4-5m64-m273 · Severity: medium · Ecosystem: maven — Apache ActiveMQ: Improper validation and restriction of a classpath path name
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2026-33227 not yet assigned priority: Debian including 1 source packages (activemq), 4 status rows across 4 suites (bookworm, bullseye, sid, trixie): open 4. | https://security-tracker.debian.org/tracker/CVE-2026-33227 |
redhat
|
medium | — | https://access.redhat.com/security/cve/CVE-2026-33227 |
ubuntu
|
medium | CVE-2026-33227 medium priority: Ubuntu including 1 source packages (activemq), 7 status rows across 7 suites (bionic, focal, jammy, noble, questing, upstream, xenial): needs-triage 7. | https://ubuntu.com/security/CVE-2026-33227 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| apache | activemq | < 5.19.3 | cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:* |
| apache | activemq | >= 6.0.0, < 6.2.2 | cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:* |
| apache | activemq_broker | < 5.19.3 | cpe:2.3:a:apache:activemq_broker:*:*:*:*:*:*:*:* |
| apache | activemq_broker | >= 6.0.0, < 6.2.2 | cpe:2.3:a:apache:activemq_broker:*:*:*:*:*:*:*:* |
| apache | activemq_web | < 5.19.3 | cpe:2.3:a:apache:activemq_web:*:*:*:*:*:*:*:* |
| apache | activemq_web | >= 6.0.0, < 6.2.2 | cpe:2.3:a:apache:activemq_web:*:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://activemq.apache.org/security-advisories.data/CVE-2026-33227-announcement.txt | Vendor Advisory |
| http://www.openwall.com/lists/oss-security/2026/04/06/4 | Mailing List Third Party Advisory |