CVE-2024-32114

Published May 2, 2024

Last updated a year ago

CVSS high 8.5
Apache ActiveMQ
Jolokia JMX REST API
Message REST API

Overview

AI description

Automated description summarized from trusted sources.

CVE-2024-32114 is an authentication bypass vulnerability found in Apache ActiveMQ 6.x, stemming from an insecure default configuration. This flaw exposes critical API endpoints, specifically the Jolokia JMX REST API and the Message REST API, without requiring any authentication. As a result, unauthenticated users can gain access to these interfaces. This lack of authentication allows unauthorized individuals to interact with the message broker. This interaction can involve producing or consuming messages, modifying broker configurations, and purging or deleting message destinations. The vulnerability affects Apache ActiveMQ versions 6.0.0 through 6.1.1, with the issue being addressed in version 6.1.2 where the default configuration was updated to include authentication.

Description
In Apache ActiveMQ 6.x, the default configuration doesn't secure the API web context (where the Jolokia JMX REST API and the Message REST API are located). It means that anyone can use these layers without any required authentication. Potentially, anyone can interact with the broker (using Jolokia JMX REST API) and/or produce/consume messages or purge/delete destinations (using the Message REST API). To mitigate, users can update the default conf/jetty.xml configuration file to add authentication requirement: <bean id="securityConstraintMapping" class="org.eclipse.jetty.security.ConstraintMapping">   <property name="constraint" ref="securityConstraint" />   <property name="pathSpec" value="/" /> </bean> Or we encourage users to upgrade to Apache ActiveMQ 6.1.2 where the default configuration has been updated with authentication by default.
Source
security@apache.org
NVD status
Analyzed
Products
activemq

Risk scores

CVSS 3.1

Type
Primary
Base score
8.8
Impact score
5.9
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

security@apache.org
CWE-1188

Social media

Hype score
Not currently trending

  1. 🚨 [HIGH] Active exploitation detected: CVE-2024-32114 Exploit in the wild confirmed for CVE-2024-32114 (CVSS null). In Apache ActiveMQ 6.x, the default configuration doesn't secure the API web context (wh... 🔗 https://t.co/RZBhpWnHFz #ZeroDay #ExploitInWild #CyberSecurity

    @ctiwatchcloud

    22 Apr 2026

    79 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Our canary network is seeing unauthenticated exploitation of Apache ActiveMQ via CVE-2024-32114 + CVE-2026-34197. CVE-2024-32114 is not on CISA KEV but we added it to VulnCheck KEV today. We see spread of CVE-2026-34197, but CVE-2024-32114 is sourcing from Digital Ocean atm.

    @Junior_Baines

    22 Apr 2026

    5770 Impressions

    8 Retweets

    17 Likes

    8 Bookmarks

    0 Replies

    1 Quote

  3. ActiveMQのCVE-2026-34197(CVSS 8.8)が悪用中、公開約6,400台に影響。Jolokia APIでRCE可能、CVE-2024-32114連鎖で未認証RCEも可。Claude AI支援で13年未検出のバグを発見、CISAはKEVに追加 / Actively exploited Apache ActiveMQ flaw impacts 6,40

    @__su888

    21 Apr 2026

    112 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  4. A 13-year-old flaw in Apache ActiveMQ can lead to RCE. CVE-2026-34197 lets attackers run OS commands via the Jolokia API. Chained with CVE-2024-32114, it becomes unauthenticated RCE on some versions. Patched in 5.19.4 and 6.2.3. 🔗 Learn more → https://t.co/f6HCobOTBr http

    @TheHackersNews

    10 Apr 2026

    13270 Impressions

    35 Retweets

    98 Likes

    23 Bookmarks

    3 Replies

    2 Quotes

  5. Apache ActiveMQ CVE-2026-34197 allows RCE via Jolokia API by forcing brokers to load attacker-controlled remote Spring configs, becoming unauthenticated RCE on versions 6.0.0–6.1.1 due to CVE-2024-32114. https://t.co/HGn5MYE7bF

    @VivekIntel

    8 Apr 2026

    89 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. ⚠️ **Vulnerability Alert:** Apache ActiveMQ Classic — Jolokia JMX RCE chain (CVE-2026-34197) and related auth bypass (CVE-2024-32114) 📅 **Timeline:** Disclosure: 2024-05-02; 2026-04-07, Patch: 2024-05-02; 2026-04-07 🆔 **CVE-2026-34197** | 📊 CVSS: 8.8 (HIGH 🟠) |

    @syedaquib77

    8 Apr 2026

    58 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. ⚠️ **Vulnerability Alert:** Apache ActiveMQ — Consolidated RCE and Jolokia/OpenWire/Fileserver issues (CVE-2026-34197 + CVE-2024-32114 + CVE-2022-41678 + CVE-2023-46604 + CVE-2016-3088) 📅 **Timeline:** Disclosure: 2026-04-07, Patch: unknown 🆔 **CVE-2026-34197** |

    @syedaquib77

    7 Apr 2026

    64 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ, Apache ActiveMQ Broker, Apache ActiveMQ All. An authenticated attacker can use the admin web console page to construct a malicious broker name that bypasses name validation to include an xbean binding that can be later used by a VM transport to load a remote Spring XML application. The attacker can then use the DestinationView mbean to send a message to trigger a VM transport creation that will reference this malicious broker name which can lead to loading the malicious Spring XML context file. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ Broker: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ All: before 5.19.6, from 6.0.0 before 6.2.5. Users are recommended to upgrade to version 6.2.5 or 5.19.6, which fixes the issue.CVE-2026-41044
  2. Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. An authenticated attacker may bypass the fix in CVE-2026-34197 by adding a connector using an HTTP Discovery transport via BrokerView.addNetworkConnector or BrokerView.addConnector through Jolokia if the activemq-http module is on the classpath. A malicious HTTP endpoint can return a VM transport through the HTTP URI which will bypass the validation added in CVE-2026-34197. The attacker can then use the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ All: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5. Users are recommended to upgrade to version 5.19.6 or 6.2.5, which fixes the issue.CVE-2026-40466
  3. Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache ActiveMQ, Apache ActiveMQ Web. An authenticated attacker can show malicious content when browsing queues in the web console by overriding the content type to be HTML (instead of XML) and by injecting HTML into a JMS selector field. This issue affects Apache ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ Web: before 5.19.6, from 6.0.0 before 6.2.5. Users are recommended to upgrade to version 6.2.5 or 5.19.6, which fixes the issue.CVE-2026-41043
  4. Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ. ActiveMQ NIO SSL transports do not correctly handle TLSv1.3 handshake KeyUpdates triggered by clients. This makes it possible for a client to rapidly trigger updates which causes the broker to exhaust all its memory in the SSL engine leading to DoS. Note: TLS versions before TLSv1.3 (such as TLSv1.2) are broken but are not vulnerable to OOM. Previous TLS versions require a full handshake renegotiation which causes a connection to hang but not OOM. This is fixed as well. This issue affects Apache ActiveMQ Client: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.4. Users are recommended to upgrade to version 6.2.4 or 5.19.5, which fixes the issue.CVE-2026-39304
  5. Improper validation and restriction of a classpath path name vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ Web, Apache ActiveMQ. In two instances (when creating a Stomp consumer and also browsing messages in the Web console) an authenticated user provided "key" value could be constructed to traverse the classpath due to path concatenation. As a result, the application is exposed to a classpath path resource loading vulnerability that could potentially be chained together with another attack to lead to exploit. This issue affects Apache ActiveMQ Client: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ Broker: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ All: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ Web: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ: before 5.19.3, from 6.0.0 before 6.2.2. Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue. Note: 5.19.3 and 6.2.2 also fix this issue, but that is limited to non-Windows environments due to a path separator resolution bug fixed in 5.19.4 and 6.2.3.CVE-2026-33227

References

Sources include official advisories and independent security research.