CVE-2026-34197

Name of the Vulnerable Software and Affected Versions Apache ActiveMQ Broker versions prior to 5.19.4, versions 6.0.0 through 6.2.2.

Description A code injection issue exists in Apache ActiveMQ Broker due to improper input validation within the Jolokia JMX-HTTP bridge ('/api/jolokia/'). An authenticated attacker can invoke operations like BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String) using a crafted discovery URI. This allows loading a remote Spring XML application context, which can lead to arbitrary code execution on the broker's JVM through bean factory methods such as Runtime.exec(). The issue is exploitable with default credentials or completely unauthenticated for certain versions.

Recommendations Upgrade to version 5.19.5 or 6.2.3. Restrict or disable Jolokia exec. Enforce strong authentication and tight Jolokia policies. Block or limit access to the '/api/jolokia/' endpoint. Restrict web console access to trusted management networks.