CVE-2026-34197

Confirmed PUBLISHED

Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Authenticated users could perform RCE via Jolokia MBeans

Apache Software Foundation · Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ

1 day faster than CISA KEV

Exploited in the wild PoC available

Recommended Action

Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.

Confidence
Confirmed
Exploitation Status
Exploited in the wild
Observed in Sensors
No
Attempts (30d)
Unique Attacker IPs
CISA KEV
In CISA KEV
CVSS / EPSS
8.8 High EPSS 96.7%

At a Glance

Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ All: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.3. Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue

cisa nuclei_scanner apache
CVE Published
Apr 07, 2026
Exploitation Reported
Jun 01, 2026
CVSS
8.8 High
EPSS
96.7%
Remote Low complexity No user interaction

Affected Versions

Vendor Product Version Status
Red Hat
Red Hat AMQ Broker 7

activemq-broker

All versions (default: unaffected)

Unaffected
Red Hat
Red Hat Data Grid 8

activemq-broker

All versions (default: unaffected)

Unaffected
Red Hat
Red Hat Enterprise Linux 8

log4j:2/log4j

All versions (default: unaffected)

Unaffected
Red Hat
Red Hat Enterprise Linux 9

log4j

All versions (default: unaffected)

Unaffected
Red Hat
Red Hat Fuse 7

activemq-all

All versions (default: unaffected)

Unaffected
Red Hat
Red Hat Fuse 7

activemq-broker

All versions (default: unaffected)

Unaffected
Red Hat
Red Hat JBoss Enterprise Application Platform 7

activemq-broker

All versions (default: unaffected)

Unaffected
Red Hat
Red Hat JBoss Enterprise Application Platform 8

activemq-broker

All versions (default: unaffected)

Unaffected
Red Hat
Red Hat JBoss Enterprise Application Platform Expansion Pack

activemq-broker

All versions (default: unaffected)

Unaffected
Apache Software Foundation
Apache ActiveMQ Broker

org.apache.activemq:activemq-broker

0 to < 5.19.4

Affected
Apache Software Foundation
Apache ActiveMQ Broker

org.apache.activemq:activemq-broker

6.0.0 to < 6.2.3

Affected
Apache Software Foundation
Apache ActiveMQ All

org.apache.activemq:activemq-all

0 to < 5.19.4

Affected
Apache Software Foundation
Apache ActiveMQ All

org.apache.activemq:activemq-all

6.0.0 to < 6.2.3

Affected
Apache Software Foundation
Apache ActiveMQ

org.apache.activemq:apache-activemq

0 to < 5.19.4

Affected
Apache Software Foundation
Apache ActiveMQ

org.apache.activemq:apache-activemq

6.0.0 to < 6.2.3

Affected

CVE References

Recommended Actions

  • Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.
  • Check enrichment artifacts for scanner coverage and available PoCs before rolling remediation validation.
  • Use the Pro API to automate enrichment, telemetry, and workflow delivery for VM, SOC, and CTI pipelines.