Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All.

Following the fix for  CVE-2026-49270 an unauthenticated attacker can now cause broker OOM by sending an repeated BrokerInfo commands without sending a ConnectionInfo, until the broker will crash with OOM.
This issue affects Apache ActiveMQ Broker: from 5.19.7 before 5.19.8, from 6.2.6 before 6.2.7; Apache ActiveMQ: from 5.19.7 before 5.19.8, from 6.2.6 before 6.2.7; Apache ActiveMQ All: from 5.19.7 before 5.19.8, from 6.2.6 before 6.2.7.

Users are recommended to upgrade to version 6.2.7, which fixes the issue.

https://lists.apache.org/thread/nhkmbdym61yp6wwy0dny8w1p46sm87kr

[{"vendor":"Apache Software Foundation","product":"Apache ActiveMQ Broker","defaultStatus":"unaffected","collectionURL":"https://repo.maven.apache.org/maven2","packageName":"org.apache.activemq:activemq-broker","versions":[{"version":"5.19.7","lessThan":"5.19.8","versionType":"semver","status":"affected"},{"version":"6.2.6","lessThan":"6.2.7","versionType":"semver","status":"affected"}]},{"vendor":"Apache Software Foundation","product":"Apache ActiveMQ","defaultStatus":"unaffected","collectionURL":"https://repo.maven.apache.org/maven2","packageName":"org.apache.activemq:apache-activemq","versions":[{"version":"5.19.7","lessThan":"5.19.8","versionType":"semver","status":"affected"},{"version":"6.2.6","lessThan":"6.2.7","versionType":"semver","status":"affected"}]},{"vendor":"Apache Software Foundation","product":"Apache ActiveMQ All","defaultStatus":"unaffected","collectionURL":"https://repo.maven.apache.org/maven2","packageName":"org.apache.activemq:activemq-all","versions":[{"version":"5.19.7","lessThan":"5.19.8","versionType":"semver","status":"affected"},{"version":"6.2.6","lessThan":"6.2.7","versionType":"semver","status":"affected"}]}]