PT-2026-30805 · Apache · Apache Activemq
Naveen Sunkavally
·
Published
2026-04-07
·
Updated
2026-07-04
·
CVE-2026-34197
CVSS v2.0
9.0
High
| Vector | AV:N/AC:L/Au:S/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
Apache ActiveMQ Broker versions prior to 5.19.7
Apache ActiveMQ Broker versions 6.0.0 through 6.2.5
Apache ActiveMQ All versions prior to 5.19.7
Apache ActiveMQ All versions 6.0.0 through 6.2.5
Apache ActiveMQ versions prior to 5.19.7
Apache ActiveMQ versions 6.0.0 through 6.2.5
Description
An authenticated attacker can achieve remote code execution on the broker's Java Virtual Machine (JVM) by sending a specially crafted discovery Uniform Resource Identifier (URI) to the Jolokia JMX-HTTP bridge, which is exposed at the
/api/jolokia/ endpoint on the web console. The default Jolokia access policy allows execution operations on ActiveMQ MBeans, specifically the addNetworkConnector(String) and addConnector(String) functions of the BrokerService. By manipulating the brokerConfig parameter of the VM transport, an attacker can force the system to load a remote Spring XML application context using ResourceXmlApplicationContext. Since this component instantiates singleton beans before the configuration is validated, arbitrary code can be executed via bean factory methods such as Runtime.exec(). This issue has been exploited in real-world incidents.Recommendations
Upgrade Apache ActiveMQ Broker to version 5.19.7 or 6.2.6.
Upgrade Apache ActiveMQ All to version 5.19.7 or 6.2.6.
Upgrade Apache ActiveMQ to version 5.19.7 or 6.2.6.
Restrict or disable the use of the
/api/jolokia/ endpoint.
Enforce strong authentication and strict access policies for Jolokia.
Restrict web console access to trusted management networks.
Run the software with the least privilege necessary to operate.Exploit
Fix
RCE
LPE
OS Command Injection
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Apache Activemq