PT-2026-30805 · Apache · Apache Activemq

Naveen Sunkavally

·

Published

2026-04-07

·

Updated

2026-07-04

·

CVE-2026-34197

CVSS v2.0

9.0

High

VectorAV:N/AC:L/Au:S/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions Apache ActiveMQ Broker versions prior to 5.19.7 Apache ActiveMQ Broker versions 6.0.0 through 6.2.5 Apache ActiveMQ All versions prior to 5.19.7 Apache ActiveMQ All versions 6.0.0 through 6.2.5 Apache ActiveMQ versions prior to 5.19.7 Apache ActiveMQ versions 6.0.0 through 6.2.5
Description An authenticated attacker can achieve remote code execution on the broker's Java Virtual Machine (JVM) by sending a specially crafted discovery Uniform Resource Identifier (URI) to the Jolokia JMX-HTTP bridge, which is exposed at the /api/jolokia/ endpoint on the web console. The default Jolokia access policy allows execution operations on ActiveMQ MBeans, specifically the addNetworkConnector(String) and addConnector(String) functions of the BrokerService. By manipulating the brokerConfig parameter of the VM transport, an attacker can force the system to load a remote Spring XML application context using ResourceXmlApplicationContext. Since this component instantiates singleton beans before the configuration is validated, arbitrary code can be executed via bean factory methods such as Runtime.exec(). This issue has been exploited in real-world incidents.
Recommendations Upgrade Apache ActiveMQ Broker to version 5.19.7 or 6.2.6. Upgrade Apache ActiveMQ All to version 5.19.7 or 6.2.6. Upgrade Apache ActiveMQ to version 5.19.7 or 6.2.6. Restrict or disable the use of the /api/jolokia/ endpoint. Enforce strong authentication and strict access policies for Jolokia. Restrict web console access to trusted management networks. Run the software with the least privilege necessary to operate.

Exploit

Fix

RCE

LPE

OS Command Injection

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BDU:2026-04928
BIT-ACTIVEMQ-2026-34197
BIT-ACTIVEMQ-2026-40466
BIT-ACTIVEMQ-2026-45505
CVE-2026-34197
GHSA-RXPJ-7QVF-XV32
GHSA-W3W2-MPP5-92GM
OESA-2026-2124
OESA-2026-2125
OESA-2026-2126
OESA-2026-2127

Affected Products

Apache Activemq