CVE-2026-34197

Name of the Vulnerable Software and Affected Versions Apache ActiveMQ Broker versions prior to 5.19.6 Apache ActiveMQ Broker versions 6.0.0 through 6.2.4 Apache ActiveMQ All versions prior to 5.19.6 Apache ActiveMQ All versions 6.0.0 through 6.2.4 Apache ActiveMQ versions prior to 5.19.6 Apache ActiveMQ versions 6.0.0 through 6.2.4

Description Improper input validation and improper control of code generation allow an authenticated attacker to achieve remote code execution on the broker's JVM. The issue exists because the Jolokia JMX-HTTP bridge, exposed at the '/api/jolokia/' endpoint, permits execution operations on ActiveMQ MBeans. Specifically, an attacker can use the addNetworkConnector() or addConnector() functions with a crafted discovery URI. This triggers the brokerConfig parameter of the VM transport to load a remote Spring XML application context via ResourceXmlApplicationContext. Since this process instantiates singleton beans before configuration validation, arbitrary code can be executed through bean factory methods such as Runtime.exec(). This issue has been exploited in the wild.

Recommendations Upgrade Apache ActiveMQ Broker, Apache ActiveMQ All, and Apache ActiveMQ to version 5.19.6 or 6.2.5. Restrict or disable Jolokia execution operations and enforce strong authentication and strict access policies. Block or limit network access to the '/api/jolokia/' endpoint and restrict the web console to trusted management networks.