CVE-2026-34197

Published Apr 7, 2026

Last updated a month ago

Exploit knownCVSS high 8.8
Server
web application
Ubuntu
Apache ActiveMQ Broker
Apache ActiveMQ Classic
Apache ActiveMQ

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-34197 is an improper input validation and code injection vulnerability affecting Apache ActiveMQ Classic. This flaw resides in the Jolokia JMX-HTTP bridge, exposed on the web console, which by default permits `exec` operations on ActiveMQ MBeans, including `BrokerService.addNetworkConnector(String)` and `BrokerService.addConnector(String)`. An authenticated attacker can exploit this by invoking these operations with a specially crafted discovery URI. This URI triggers the VM transport's `brokerConfig` parameter to load a remote Spring XML application context, which then instantiates singleton beans and executes arbitrary code on the broker's Java Virtual Machine (JVM) through methods like `Runtime.exec()`. While exploitation typically requires authentication, certain versions of Apache ActiveMQ Classic (6.0.0 through 6.1.1) are also affected by CVE-2024-32114, which inadvertently exposes the Jolokia API without authentication. In these specific versions, CVE-2026-34197 can be exploited without credentials, effectively becoming an unauthenticated remote code execution vulnerability. This vulnerability has been present in the codebase for approximately 13 years and affects Apache ActiveMQ Broker versions before 5.19.4 and from 6.0.0 before 6.2.3.

Description
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ All: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.3. Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue
Source
security@apache.org
NVD status
Analyzed
Products
activemq, activemq_broker

Risk scores

CVSS 3.1

Type
Secondary
Base score
8.8
Impact score
5.9
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Known exploits

Data from CISA

Vulnerability name
Apache ActiveMQ Improper Input Validation Vulnerability
Exploit added on
Apr 16, 2026
Exploit action due
Apr 30, 2026
Required action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Weaknesses

security@apache.org
CWE-20

Social media

Hype score
Not currently trending

  1. ⚡️ May "In the Trend of VM" (#27): Linux EoP (CVE-2026-31431), ActiveMQ RCE (CVE-2026-34197), SharePoint spoofing (CVE-2026-32201), Adobe Reader RCE (CVE-2026-34621) #TrendVulns #Linux #ActiveMQ #Microsoft #Adobe ➡️ https://t.co/4aiqSqJ6Ig https://t.co/w6uc5BlpwN

    @leonov_av

    25 May 2026

    20 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Try our free labs: CVE-2026-44578: Next.js WebSocket Upgrade SSRF via Absolute-Form Request URI CVE-2026-33937: Handlebars.js Template Engine RCE via AST type confusion in compile() CVE-2026-34197: Apache ActiveMQ Jolokia RCE—solved via addNetworkConnector + vm:// transport

    @cveplayground

    19 May 2026

    106 Impressions

    1 Retweet

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. CVE-2026-34197: CISA moved an Apache ActiveMQ code-injection flaw (CVE-2026-34197) into KEV; fix or mitigate by 2026-04-30 or discontinue use per KEV guidance.

    @lyrie_ai

    15 May 2026

    31 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  4. 🚨 Apache ActiveMQ RCE (CVE-2026-34197): Jolokia API flaw → OS command execution; weak default creds (admin:admin) OR CVE-2024-32114 → effectively unauth RCE; exploit Apr 8, in-the-wild Apr 13, CISA KEV Apr 16, ~7k exposed. #ActiveMQ #RCE #CISAKEV ➡️ https://t.co/nXm2E6

    @leonov_av

    14 May 2026

    96 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. CISA added CVE-2026-34197 to KEV: code injection in Apache ActiveMQ. The last ActiveMQ KEV bug (CVE-2023-46604) got hammered by ransomware crews within days. If your broker is internet-exposed, patch this week. https://t.co/IsE80CC4TE

    @TechTranslators

    25 Apr 2026

    2 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. Our canary network is seeing unauthenticated exploitation of Apache ActiveMQ via CVE-2024-32114 + CVE-2026-34197. CVE-2024-32114 is not on CISA KEV but we added it to VulnCheck KEV today. We see spread of CVE-2026-34197, but CVE-2024-32114 is sourcing from Digital Ocean atm.

    @Junior_Baines

    22 Apr 2026

    5770 Impressions

    8 Retweets

    17 Likes

    8 Bookmarks

    0 Replies

    1 Quote

  7. ActiveMQのCVE-2026-34197(CVSS 8.8)が悪用中、公開約6,400台に影響。Jolokia APIでRCE可能、CVE-2024-32114連鎖で未認証RCEも可。Claude AI支援で13年未検出のバグを発見、CISAはKEVに追加 / Actively exploited Apache ActiveMQ flaw impacts 6,40

    @__su888

    21 Apr 2026

    112 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  8. A 13-year-old flaw in Apache ActiveMQ can lead to RCE. CVE-2026-34197 lets attackers run OS commands via the Jolokia API. Chained with CVE-2024-32114, it becomes unauthenticated RCE on some versions. Patched in 5.19.4 and 6.2.3. 🔗 Learn more → https://t.co/f6HCobOTBr http

    @TheHackersNews

    10 Apr 2026

    13270 Impressions

    35 Retweets

    98 Likes

    23 Bookmarks

    3 Replies

    2 Quotes

  9. Apache ActiveMQ CVE-2026-34197 allows RCE via Jolokia API by forcing brokers to load attacker-controlled remote Spring configs, becoming unauthenticated RCE on versions 6.0.0–6.1.1 due to CVE-2024-32114. https://t.co/HGn5MYE7bF

    @VivekIntel

    8 Apr 2026

    89 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. ⚠️ **Vulnerability Alert:** Apache ActiveMQ Classic — Jolokia JMX RCE chain (CVE-2026-34197) and related auth bypass (CVE-2024-32114) 📅 **Timeline:** Disclosure: 2024-05-02; 2026-04-07, Patch: 2024-05-02; 2026-04-07 🆔 **CVE-2026-34197** | 📊 CVSS: 8.8 (HIGH 🟠) |

    @syedaquib77

    8 Apr 2026

    58 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. ⚠️ **Vulnerability Alert:** Apache ActiveMQ — Consolidated RCE and Jolokia/OpenWire/Fileserver issues (CVE-2026-34197 + CVE-2024-32114 + CVE-2022-41678 + CVE-2023-46604 + CVE-2016-3088) 📅 **Timeline:** Disclosure: 2026-04-07, Patch: unknown 🆔 **CVE-2026-34197** |

    @syedaquib77

    7 Apr 2026

    64 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Deskflow is a keyboard and mouse sharing app. Prior to 1.26.0.167, a remote, unauthenticated denial of service (DoS) vulnerability affects Deskflow servers running with TLS enabled (the default). When any TCP peer connects to the listening port and its first bytes do not parse as a valid TLS ClientHello, SecureSocket::secureAccept enters its fatal-error branch and calls Arch::sleep(1) (a blocking 1-second sleep) on the multiplexer worker thread. That thread services every socket on the server, including established TLS clients delivering mouse motion, keyboard events, and clipboard updates. A single failed handshake therefore stalls input delivery to all connected screens for ~1 second, and a sustained drip of malformed connections (≥ 1/s) makes the server effectively unusable while the attack persists. This vulnerability is fixed in 1.26.0.167.CVE-2026-44296
  2. In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.CVE-2026-43500
  3. In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().CVE-2026-43284
  4. BerriAI LiteLLM SQL Injection VulnerabilityCVE-2026-42208
  5. A denial of service vulnerability could be triggered by sending specially crafted HTTP requests to server function endpoints, this could lead to server crashes, out-of-memory exceptions or excessive CPU usage; affecting the following packages: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack (versions 19.0.0 through 19.0.5, 19.1.0 through 19.1.6, and 19.2.0 through 19.2.5).CVE-2026-23870

References

Sources include official advisories and independent security research.