What is CVE-2026-34197?

CVE-2026-34197 is a high-severity code injection vulnerability in Apache ActiveMQ's Jolokia API that allows attackers to execute arbitrary OS commands by fetching a remote configuration file.

How does the authentication bypass affect this vulnerability?

When CVE-2026-34197 is chained with CVE-2024-32114, attackers can bypass authentication entirely, leading to unauthenticated remote code execution on affected ActiveMQ versions.

Which versions of Apache ActiveMQ are affected?

The vulnerability affects Apache ActiveMQ versions before 5.19.4 and versions 6.0.0 through 6.2.2.

What is the remediation for these ActiveMQ vulnerabilities?

Organizations should upgrade to Apache ActiveMQ version 5.19.4 or 6.2.3, restrict access to Jolokia endpoints, and change all default credentials.

Why did CISA add this to the KEV catalog?

CISA added the flaw to the Known Exploited Vulnerabilities catalog because there is evidence of active exploitation in the wild, posing a significant risk to enterprise networks.

Attack

CISA Warns of Active Exploitation in Apache ActiveMQ Jolokia API Vulnerability

published: yesterday

Take action: If you're running Apache ActiveMQ, upgrade to version 5.19.4 or 6.2.3 ASAP. Atackers are actively exploiting this right now. While you're at it, make sure your ActiveMQ console is not exposed to the internet, change any default admin:admin credentials, and disable the Jolokia endpoint entirely if you don't need it.

Learn More

CISA is reporting active exploitation high-severity remote code execution vulnerability in Apache ActiveMQ Classic

The flaw is tracked as CVE-2026-34197 (CVSS score 8.8), is caused by an improper input validation in the Jolokia JMX-HTTP bridge exposed via the ActiveMQ web console. An authenticated attacker can send crafted requests containing a malicious discovery URI, forcing the broker to load a remote Spring XML configuration and execute arbitrary code on the broker's JVM — for example, via Runtime.exec().

According to Horizon3.ai researcher Naveen Sunkavally, the vulnerability had been hiding in plain sight for 13 years before its discovery.

This vulnerability can be chained with an older flaw. On ActiveMQ versions 6.0.0 through 6.1.1, a separate vulnerability CVE-2024-32114 which inadvertently removes the Jolokia endpoint from the web console's security constraints, leaving it completely unauthenticated. When chained with CVE-2026-34197, the result is effectively unauthenticated remote code execution.

Even in environments where authentication is enforced, default credentials (admin:admin) remain common, further lowering the bar for exploitation.

The following versions are impacted:

Apache ActiveMQ Broker (activemq-broker) before 5.19.4
Apache ActiveMQ Broker (activemq-broker) 6.0.0 before 6.2.3
Apache ActiveMQ (activemq-all) before 5.19.4
Apache ActiveMQ (activemq-all) 6.0.0 before 6.2.3

Threat actors are actively scanning for exposed ActiveMQ instances to leverage this code injection pathway for initial network access, Telemetry gathered by Fortinet FortiGuard Labs revealed dozens of exploitation attempts over just a few days, with activity peaking on April 14, 2026.

Horizon3 researchers noted that signs of exploitation can be identified by analyzing ActiveMQ broker logs, particularly by looking for suspicious broker connections using the brokerConfig=xbean:http:// query parameter and the internal VM transport protocol.

Organizations are strongly urged to upgrade to patched versions 5.19.4 or 6.2.3 immediately, audit deployments for externally accessible Jolokia endpoints, restrict access to trusted networks, enforce strong authentication, and disable Jolokia where it is not required.

CISA Warns of Active Exploitation in Apache ActiveMQ Jolokia API Vulnerability

Read More
Criminals use WinRAR vulnerability for theft of funds …
Broadcom confirms active exploitation of two vulnerabilities in …
Craft CMS zero-Day vulnerabilities actively exploited
Two Google Pixel Android flaws actively exploited
CISA warns of active exploits of old Oracle …