CVE-2026-34197

Received Received - Intake

Code Injection in Apache ActiveMQ Broker Enables Remote Code Execution

Publication date: 2026-04-07

Last updated on: 2026-04-16

Assigner: Apache Software Foundation

Description

Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ All: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.3. Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-04-07

Last Modified

2026-04-16

Generated

2026-06-16

AI Q&A

2026-04-07

EPSS Evaluated

2026-06-15

NVD

CVE-2026-34197

EUVD

EUVD-2026-19588

Affected Vendors & Products

Vendor	Product	Version / Range
apache	activemq	to 5.19.4 (exc)
apache	activemq	From 6.0.0 (inc) to 6.2.3 (exc)
apache	activemq_broker	to 5.19.4 (exc)
apache	activemq_broker	From 6.0.0 (inc) to 6.2.3 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-94	The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-20	The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Attack-Flow Graph

Executive Summary

CVE-2026-34197 is a code injection vulnerability in Apache ActiveMQ Broker and Apache ActiveMQ. It arises from improper input validation and improper control of code generation in the Jolokia JMX-HTTP bridge exposed at the /api/jolokia/ endpoint on the web console.

The default Jolokia access policy permits execution of operations on all ActiveMQ MBeans, including sensitive methods like BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String).

An authenticated attacker can exploit this by invoking these operations with a crafted discovery URI that leverages the VM transport's brokerConfig parameter to load a remote Spring XML application context using Spring’s ResourceXmlApplicationContext.

Because Spring instantiates all singleton beans before the BrokerService validates the configuration, this allows arbitrary code execution on the broker's JVM through bean factory methods such as Runtime.exec().

Impact Analysis

This vulnerability allows an authenticated attacker to execute arbitrary code on the Apache ActiveMQ broker's JVM remotely.

Such arbitrary code execution can lead to full compromise of the broker, potentially allowing the attacker to manipulate messaging services, disrupt operations, steal sensitive data, or use the broker as a pivot point for further attacks within the network.

Detection Guidance

This vulnerability can be detected by checking if your Apache ActiveMQ Broker or Apache ActiveMQ instance exposes the Jolokia JMX-HTTP bridge at the /api/jolokia/ endpoint on the web console.

Specifically, you should verify if the Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including sensitive methods like BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String).

Detection commands could include using curl or similar HTTP clients to query the Jolokia endpoint and check for accessible exec operations. For example:

curl -u <username>:<password> http://<activemq-host>:<port>/api/jolokia/ -d '{"type":"exec","mbean":"org.apache.activemq:type=Broker,brokerName=localhost","operation":"addNetworkConnector","arguments":["someURI"]}'

If the above command succeeds or returns a response indicating the operation is permitted, the system is vulnerable.

Mitigation Strategies

The immediate and recommended mitigation step is to upgrade Apache ActiveMQ Broker or Apache ActiveMQ to versions 5.19.5 or 6.2.3 or later, where this vulnerability is fixed.

Until the upgrade can be performed, restrict access to the Jolokia JMX-HTTP bridge endpoint (/api/jolokia/) to trusted and authenticated users only, and review the Jolokia access policy to limit or disable exec operations on sensitive MBeans.

Compliance Impact

The provided information does not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Hi! I’m here to help you understand CVE-2026-34197. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-34197

Code Injection in Apache ActiveMQ Broker Enables Remote Code Execution

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart