CVE-2026-34197

Name of the Vulnerable Software and Affected Versions Apache ActiveMQ Broker versions prior to 5.19.4 Apache ActiveMQ Broker versions 6.0.0 through 6.2.2 Apache ActiveMQ versions prior to 5.19.4 Apache ActiveMQ versions 6.0.0 through 6.2.2

Description Improper input validation and improper control of code generation in Apache ActiveMQ Classic allow for remote code execution. The software exposes the Jolokia JMX-HTTP bridge at the endpoint '/api/jolokia/' on the web console. The default access policy permits execution operations on all ActiveMQ MBeans, specifically the functions addNetworkConnector(String) and addConnector(String). An authenticated attacker can use a crafted discovery URI to trigger the brokerConfig parameter of the VM transport to load a remote Spring XML application context via ResourceXmlApplicationContext. Since this context instantiates singleton beans before configuration validation, arbitrary code can be executed on the broker's JVM through bean factory methods such as Runtime.exec(). In some environments, this can be exploited using default credentials or without authentication if the Jolokia bridge is exposed. Real-world incidents include the use of this flaw by the Phorpiex/Twizt hybrid botnet for lateral movement and ransomware deployment.

Recommendations For versions prior to 5.19.4, upgrade to version 5.19.4 or 5.19.5. For versions 6.0.0 through 6.2.2, upgrade to version 6.2.3. Restrict or disable Jolokia execution operations and enforce strong authentication policies. Block or limit network access to the '/api/jolokia/' endpoint and the web console to trusted management networks.