OverviewQuickstartResponse FieldsAPI ReferenceSDK ReferenceAccount & PortalAI Agent IntegrationCI/CD IntegrationIntegrations↳ LangChainProductsSupply chainFAQ
products / apache_activemq

Apache ActiveMQ

Apache ActiveMQ is a message broker implementing the JMS specification, widely deployed for enterprise messaging and event-driven architectures. The Apache Software Foundation is a CNA, producing consistently enriched NVD records. ActiveMQ has a significant CVE history dominated by Java deserialization vulnerabilities; CVE-2023-46604 is a CVSS 10.0 RCE listed in the CISA Known Exploited Vulnerabilities catalog.

api usage

Querying Apache ActiveMQ

product slugapache_activemq
version format5.18.3, 5.17.6, 5.16.7
bash
curl "https://api.attestd.io/v1/check?product=apache_activemq&version=5.18.0" \
  -H "Authorization: Bearer $ATTESTD_KEY"

ActiveMQ 5.18.0 is affected by CVE-2023-46604 (OpenWire deserialization RCE, CISA KEV). Expect risk_state: "critical" and actively_exploited: true.

json
{
  "product": "apache_activemq",
  "version": "5.18.0",
  "supported": true,
  "risk_state": "critical",
  "risk_factors": [
    "active_exploitation",
    "remote_code_execution",
    "no_authentication_required",
    "internet_exposed_service",
    "patch_available"
  ],
  "actively_exploited": true,
  "remote_exploitable": true,
  "authentication_required": false,
  "patch_available": true,
  "fixed_version": "5.18.3",
  "confidence": 0.94,
  "cve_ids": ["CVE-2023-46604"],
  "last_updated": "2026-02-23T18:21:30Z"
}
safe version

ActiveMQ 5.18.3 includes the patch for CVE-2023-46604 and has no known critical vulnerabilities at the time of the last synthesis run.

bash
curl "https://api.attestd.io/v1/check?product=apache_activemq&version=5.18.3" \
  -H "Authorization: Bearer $ATTESTD_KEY"
notable cves

CVE history

ActiveMQ's CVE history is dominated by Java deserialization vulnerabilities in its message processing pipeline and management interfaces. CVE-2023-46604 represents the most severe recent case: a pre-authentication RCE over the OpenWire port (default 61616) that requires no credentials and was actively weaponized in ransomware campaigns.

CVEDescriptionAffectsCVSS
CVE-2023-46604Remote code execution via ClassPathXmlApplicationContext deserialization over the OpenWire protocol. CISA KEV. Actively exploited in ransomware campaigns.< 5.15.16, < 5.16.7, < 5.17.6, < 5.18.310.0
CVE-2022-41678Remote code execution via Java deserialization in the Jolokia JMX API, accessible to authenticated users.< 5.16.6, < 5.17.4, < 5.18.08.8
CVE-2016-3088Path traversal via the HTTP fileserver component allowing arbitrary file write to the server.< 5.14.09.8
CVE-2015-5254Remote code execution via Java deserialization of JMS ObjectMessage; triggered on message receipt.< 5.12.19.8
CVE-2014-3612Authentication bypass via crafted login credentials in certain LDAP authentication configurations.< 5.9.17.5
related
All productsApache KafkaRabbitMQResponse Field Reference