CVE-2026-34197: CVE-2026-34197: Remote Code Execution in Apache ActiveMQ via Jolokia JMX-HTTP Bridge

CVE-2026-34197: Remote Code Execution in Apache ActiveMQ via Jolokia JMX-HTTP Bridge

Vulnerability ID: CVE-2026-34197
CVSS Score: 8.8
Published: 2026-04-07

CVE-2026-34197 is a critical remote code execution vulnerability in Apache ActiveMQ Classic affecting versions prior to 5.19.4 and the 6.x branch before 6.2.3. Attackers exploit the Jolokia JMX-HTTP bridge to force the BrokerService MBean to load a malicious Spring XML configuration file, leading to arbitrary code execution on the broker's JVM.

TL;DR

Apache ActiveMQ versions prior to 5.19.4 and 6.2.3 suffer from a critical RCE. Attackers can abuse the Jolokia API to execute commands by passing a crafted URI to the BrokerService MBean, forcing the server to load external Spring XML configurations.

---

⚠️ Exploit Status: ACTIVE

Technical Details

• CWE ID: CWE-94
• Attack Vector: Network
• CVSS v3.1 Score: 8.8 (High)
• EPSS Score: 0.46638 (97.67th percentile)
• Exploit Status: Active / Weaponized
• CISA KEV: Listed (Added 2026-04-16)

Affected Systems

• Apache ActiveMQ Broker / Classic < 5.19.4
• Apache ActiveMQ Broker / Classic 6.0.0 - 6.2.2
• Apache ActiveMQ Broker / Classic: < 5.19.4 (Fixed in: 5.19.4)
• Apache ActiveMQ Broker / Classic: >= 6.0.0, <= 6.2.2 (Fixed in: 6.2.3)

Exploit Details

• GitHub (dinosn): Python exploit script for CVE-2026-34197
• GitHub (DEVSECURITYSPRO): Public PoC for CVE-2026-34197
• GitHub (AtoposX-J): Public PoC for Apache ActiveMQ RCE

Mitigation Strategies

• Upgrade ActiveMQ to a non-vulnerable version.
• Restrict network access to the ActiveMQ web console (port 8161).
• Harden Jolokia access policy via jolokia-access.xml.
• Disable the Jolokia bridge if not required.

Remediation Steps:

1. Download Apache ActiveMQ version 5.19.4 or 6.2.3 from the official repository.
2. Backup the existing conf directory and data directories.
3. Apply the upgraded binaries and restart the ActiveMQ broker service.
4. If patching is delayed, edit conf/jolokia-access.xml to deny exec operations on the org.apache.activemq:* domain.
5. Verify firewall rules strictly limit access to TCP port 8161 to authorized subnets only.

References

• Vendor Advisory: Apache ActiveMQ Security Announcement
• Technical Analysis by Horizon3.ai
• CISA KEV Catalog Entry
• OSS Security Mailing List Disclosure

---

Read the full report for CVE-2026-34197 on our website for more details including interactive diagrams and full exploit analysis.