ActiveMQ 5.19.8 Release

Apache Classic 5.19.8 was released on Jun 29th, 2026.

This is a maintenance release on the 5.19.x series, including:

  • Update Stomp transports with improved validation
  • Send advisory messages using the broker connection context
  • Several security enforcement and validation fixes (https in BrokerView, webconsole, …)
  • Preserve ${…} placeholders when removing/modifying networkConnectors in RuntimeConfigurationPlugin

Notable updates regarding security and breaking changes:

  • This release introduces maxInflatedDataSize and maxInflatedDataSizeRatio as possible breaking changes to be aware of. maxInflatedDataSize is the maximum allowed size of an uncompressed message body. The default on the broker is 100 MB which is in line with the default maxFrameSize of defined in the XML config of 10 MB on a transport. For the client, maxInflatedDataSize is computed as a ratio using maxInflatedDataSizeRatio
  • By default, allowTempDestinationStealing has now been disabled. In previous releases, connections could add consumers on any temporary destination. Now only the connection that created the temporary destination can consume. This may cause problems with failover or network bridging if using temporary destinations in those scenarios. You can re-nable the preivous behavior by setting allowTempDestinationStealing to true, but this would only be recommended if you are not concerned with unauthorized connections consuming from those destinations.
  • The WebConsole is now restricted only to admin users by default. The WebConsole uses admin credentials to perform some functions, including when browsing destinations. Therefore, it is recommended to not grant access to non-admin users as the WebConsole is specifically meant for admins.

Other notable changes from the recent 5.19.7 and 5.19.8 release:

  • The WebConsole configuration has been hardened in including limiting allowed hosts/ips by default. This can be changed in the jetty.xml file.
  • Jolokia has been restricted to administrators only.
  • The XBeanBrokerFactory is blocked by default when using the VM Transport. It can be re-enabled with the org.apache.activemq.transport.VM_TRANSPORT_FACTORY_SCHEMES_ENABLED system property.
  • The java.lang package is no longer part of the default allowed serializable packages list. This is configured using the org.apache.activemq.SERIALIZABLE_PACKAGES system property. See ObjectMessage for more info.
  • The XBeanBrokerFactory is restricted to to local file system and classpath protocols only. This can be changed using the org.apache.activemq.xbean.XBEAN_BROKER_FACTORY_PROTOCOLS system property.

You can find details on the release notes.

Getting the Binary Distributions

Description Download Link Verify
Windows Distribution apache-activemq-5.19.8-bin.zip ASC, SHA512
Unix/Linux/Cygwin Distribution apache-activemq-5.19.8-bin.tar.gz ASC, SHA512

Java compatibility: 11+

Verify the Integrity of Downloads

It is essential that you verify the integrity of the downloaded files using the ASC signature or SHA checksum.

The ASC signatures can be verified using PGP or GPG. Begin by following these steps:

  1. Download the KEYS file.
  2. Download the .asc signature for the relevant distribution file.
  3. Verify the signature.
    • If using GPG:
       $ gpg --import KEYS
       $ gpg --verify <file-name>.asc <file-name>
      
    • If using PGP:
       $ pgp -ka KEYS
       $ pgp <file-name>.asc
      

Alternatively you can [also] verify the SHA-512 checksum of the file. For example, using the sha512sum command:

$ sha512sum -c <file-name>.sha512

Getting the Binaries using Maven 3

To use this release in your maven project, the simplest dependency that you can use in your Maven POM is:

<dependency>
  <groupId>org.apache.activemq</groupId>
  <artifactId>activemq-all</artifactId>
  <version>5.19.8</version>
</dependency>

If you need more fine grained control of your dependencies (activemq-all is an uber jar) pick and choose from the various components activemq-client, activemq-broker, activemq-xx-store etc.

Getting the Source Code

Source Distributions

Description Download Link Verify
Source Release: activemq-parent-5.19.8-source-release.zip ASC, SHA512

Change Log

For a more detailed view of new features and bug fixes, see the release notes

Also see the previous ActiveMQ 5.19.7 Release

Apache, ActiveMQ, Apache ActiveMQ, the Apache logo, and the Apache ActiveMQ project logo are trademarks of The Apache Software Foundation. Copyright © 2025, The Apache Software Foundation. Licensed under Apache License 2.0.