CVE-2026-34197

Published Apr 7, 2026

Last updated 25 days ago

Exploit knownCVSS high 8.8
Apache ActiveMQ
Ubuntu
Server
Apache ActiveMQ Broker
Apache ActiveMQ Classic

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-34197 is an improper input validation and code injection vulnerability affecting Apache ActiveMQ Classic. This flaw resides in the Jolokia JMX-HTTP bridge, exposed on the web console, which by default permits `exec` operations on ActiveMQ MBeans, including `BrokerService.addNetworkConnector(String)` and `BrokerService.addConnector(String)`. An authenticated attacker can exploit this by invoking these operations with a specially crafted discovery URI. This URI triggers the VM transport's `brokerConfig` parameter to load a remote Spring XML application context, which then instantiates singleton beans and executes arbitrary code on the broker's Java Virtual Machine (JVM) through methods like `Runtime.exec()`. While exploitation typically requires authentication, certain versions of Apache ActiveMQ Classic (6.0.0 through 6.1.1) are also affected by CVE-2024-32114, which inadvertently exposes the Jolokia API without authentication. In these specific versions, CVE-2026-34197 can be exploited without credentials, effectively becoming an unauthenticated remote code execution vulnerability. This vulnerability has been present in the codebase for approximately 13 years and affects Apache ActiveMQ Broker versions before 5.19.4 and from 6.0.0 before 6.2.3.

Description
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ All: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.3. Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue
Source
security@apache.org
NVD status
Analyzed
Products
activemq, activemq_broker

Risk scores

CVSS 3.1

Type
Secondary
Base score
8.8
Impact score
5.9
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Known exploits

Data from CISA

Vulnerability name
Apache ActiveMQ Improper Input Validation Vulnerability
Exploit added on
Apr 16, 2026
Exploit action due
Apr 30, 2026
Required action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Weaknesses

security@apache.org
CWE-20

Social media

Hype score
Not currently trending

  1. CISA added CVE-2026-34197 to KEV: code injection in Apache ActiveMQ. The last ActiveMQ KEV bug (CVE-2023-46604) got hammered by ransomware crews within days. If your broker is internet-exposed, patch this week. https://t.co/IsE80CC4TE

    @TechTranslators

    25 Apr 2026

    2 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Our canary network is seeing unauthenticated exploitation of Apache ActiveMQ via CVE-2024-32114 + CVE-2026-34197. CVE-2024-32114 is not on CISA KEV but we added it to VulnCheck KEV today. We see spread of CVE-2026-34197, but CVE-2024-32114 is sourcing from Digital Ocean atm.

    @Junior_Baines

    22 Apr 2026

    5770 Impressions

    8 Retweets

    17 Likes

    8 Bookmarks

    0 Replies

    1 Quote

  3. ActiveMQのCVE-2026-34197(CVSS 8.8)が悪用中、公開約6,400台に影響。Jolokia APIでRCE可能、CVE-2024-32114連鎖で未認証RCEも可。Claude AI支援で13年未検出のバグを発見、CISAはKEVに追加 / Actively exploited Apache ActiveMQ flaw impacts 6,40

    @__su888

    21 Apr 2026

    112 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  4. A 13-year-old flaw in Apache ActiveMQ can lead to RCE. CVE-2026-34197 lets attackers run OS commands via the Jolokia API. Chained with CVE-2024-32114, it becomes unauthenticated RCE on some versions. Patched in 5.19.4 and 6.2.3. 🔗 Learn more → https://t.co/f6HCobOTBr http

    @TheHackersNews

    10 Apr 2026

    13270 Impressions

    35 Retweets

    98 Likes

    23 Bookmarks

    3 Replies

    2 Quotes

  5. Apache ActiveMQ CVE-2026-34197 allows RCE via Jolokia API by forcing brokers to load attacker-controlled remote Spring configs, becoming unauthenticated RCE on versions 6.0.0–6.1.1 due to CVE-2024-32114. https://t.co/HGn5MYE7bF

    @VivekIntel

    8 Apr 2026

    89 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. ⚠️ **Vulnerability Alert:** Apache ActiveMQ Classic — Jolokia JMX RCE chain (CVE-2026-34197) and related auth bypass (CVE-2024-32114) 📅 **Timeline:** Disclosure: 2024-05-02; 2026-04-07, Patch: 2024-05-02; 2026-04-07 🆔 **CVE-2026-34197** | 📊 CVSS: 8.8 (HIGH 🟠) |

    @syedaquib77

    8 Apr 2026

    58 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. ⚠️ **Vulnerability Alert:** Apache ActiveMQ — Consolidated RCE and Jolokia/OpenWire/Fileserver issues (CVE-2026-34197 + CVE-2024-32114 + CVE-2022-41678 + CVE-2023-46604 + CVE-2016-3088) 📅 **Timeline:** Disclosure: 2026-04-07, Patch: unknown 🆔 **CVE-2026-34197** |

    @syedaquib77

    7 Apr 2026

    64 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.CVE-2026-23918
  2. Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache ActiveMQ, Apache ActiveMQ Web. An authenticated attacker can show malicious content when browsing queues in the web console by overriding the content type to be HTML (instead of XML) and by injecting HTML into a JMS selector field. This issue affects Apache ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ Web: before 5.19.6, from 6.0.0 before 6.2.5. Users are recommended to upgrade to version 6.2.5 or 5.19.6, which fixes the issue.CVE-2026-41043
  3. Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. An authenticated attacker may bypass the fix in CVE-2026-34197 by adding a connector using an HTTP Discovery transport via BrokerView.addNetworkConnector or BrokerView.addConnector through Jolokia if the activemq-http module is on the classpath. A malicious HTTP endpoint can return a VM transport through the HTTP URI which will bypass the validation added in CVE-2026-34197. The attacker can then use the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ All: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5. Users are recommended to upgrade to version 5.19.6 or 6.2.5, which fixes the issue.CVE-2026-40466
  4. Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ, Apache ActiveMQ Broker, Apache ActiveMQ All. An authenticated attacker can use the admin web console page to construct a malicious broker name that bypasses name validation to include an xbean binding that can be later used by a VM transport to load a remote Spring XML application. The attacker can then use the DestinationView mbean to send a message to trigger a VM transport creation that will reference this malicious broker name which can lead to loading the malicious Spring XML context file. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ Broker: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ All: before 5.19.6, from 6.0.0 before 6.2.5. Users are recommended to upgrade to version 6.2.5 or 5.19.6, which fixes the issue.CVE-2026-41044
  5. PackageKit is a a D-Bus abstraction layer that allows the user to manage packages in a secure way using a cross-distro, cross-architecture API. PackageKit between and including versions 1.0.2 and 1.3.4 is vulnerable to a time-of-check time-of-use (TOCTOU) race condition on transaction flags that allows unprivileged users to install packages as root and thus leads to a local privilege escalation. This is patched in version 1.3.5. A local unprivileged user can install arbitrary RPM packages as root, including executing RPM scriptlets, without authentication. The vulnerability is a TOCTOU race condition on `transaction->cached_transaction_flags` combined with a silent state-machine guard that discards illegal backward transitions while leaving corrupted flags in place. Three bugs exist in `src/pk-transaction.c`: 1. Unconditional flag overwrite (line 4036): `InstallFiles()` writes caller-supplied flags to `transaction->cached_transaction_flags` without checking whether the transaction has already been authorized/started. A second call blindly overwrites the flags even while the transaction is RUNNING. 2. Silent state-transition rejection (lines 873–882): `pk_transaction_set_state()` silently discards backward state transitions (e.g. `RUNNING` → `WAITING_FOR_AUTH`) but the flag overwrite at step 1 already happened. The transaction continues running with corrupted flags. 3. Late flag read at execution time (lines 2273–2277): The scheduler's idle callback reads cached_transaction_flags at dispatch time, not at authorization time. If flags were overwritten between authorization and execution, the backend sees the attacker's flags.CVE-2026-41651

References

Sources include official advisories and independent security research.