CVE-2026-34197
Code Injection in Apache ActiveMQ Broker Enables Remote Code Execution
Publication date: 2026-04-07
Last updated on: 2026-04-16
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | activemq | to 5.19.4 (exc) |
| apache | activemq | From 6.0.0 (inc) to 6.2.3 (exc) |
| apache | activemq_broker | to 5.19.4 (exc) |
| apache | activemq_broker | From 6.0.0 (inc) to 6.2.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34197 is a code injection vulnerability in Apache ActiveMQ Broker and Apache ActiveMQ. It arises from improper input validation and improper control of code generation in the Jolokia JMX-HTTP bridge exposed at the /api/jolokia/ endpoint on the web console.
The default Jolokia access policy permits execution of operations on all ActiveMQ MBeans, including sensitive methods like BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String).
An authenticated attacker can exploit this by invoking these operations with a crafted discovery URI that leverages the VM transport's brokerConfig parameter to load a remote Spring XML application context using Springβs ResourceXmlApplicationContext.
Because Spring instantiates all singleton beans before the BrokerService validates the configuration, this allows arbitrary code execution on the broker's JVM through bean factory methods such as Runtime.exec().
How can this vulnerability impact me? :
This vulnerability allows an authenticated attacker to execute arbitrary code on the Apache ActiveMQ broker's JVM remotely.
Such arbitrary code execution can lead to full compromise of the broker, potentially allowing the attacker to manipulate messaging services, disrupt operations, steal sensitive data, or use the broker as a pivot point for further attacks within the network.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your Apache ActiveMQ Broker or Apache ActiveMQ instance exposes the Jolokia JMX-HTTP bridge at the /api/jolokia/ endpoint on the web console.
Specifically, you should verify if the Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including sensitive methods like BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String).
Detection commands could include using curl or similar HTTP clients to query the Jolokia endpoint and check for accessible exec operations. For example:
- curl -u <username>:<password> http://<activemq-host>:<port>/api/jolokia/ -d '{"type":"exec","mbean":"org.apache.activemq:type=Broker,brokerName=localhost","operation":"addNetworkConnector","arguments":["someURI"]}'
If the above command succeeds or returns a response indicating the operation is permitted, the system is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation step is to upgrade Apache ActiveMQ Broker or Apache ActiveMQ to versions 5.19.5 or 6.2.3 or later, where this vulnerability is fixed.
Until the upgrade can be performed, restrict access to the Jolokia JMX-HTTP bridge endpoint (/api/jolokia/) to trusted and authenticated users only, and review the Jolokia access policy to limit or disable exec operations on sensitive MBeans.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.