CVE-2026-34197 is a remote code execution vulnerability in Apache ActiveMQ Classic. The flaw exists in the Jolokia JMX-HTTP bridge, which ActiveMQ exposes at An authenticated attacker can invoke these operations with a crafted discovery URI that triggers ActiveMQ’s VM transport The vulnerability carries a CVSS v3.1 base score of 8.8 (High). Exploitation requires low privileges in the general case, but default credentials ( The underlying code path has been present for approximately 13 years. ActiveMQ has been a repeated target for real-world attackers, and public proof-of-concept exploits are already available.<\/p>\n\n\n\n Apache ActiveMQ Classic versions prior to 5.19.4 and versions 6.0.0 through 6.2.2 are affected. Any system running an unpatched ActiveMQ broker with the web console enabled on port In practice, affected assets are message brokers that serve as middleware between application components. ActiveMQ is widely deployed in enterprise environments for asynchronous messaging, event-driven architectures, and system integration. These brokers commonly sit behind load balancers or within internal networks, but many are also directly internet-facing due to legacy deployment patterns, cloud migrations, or operational convenience.<\/p>\n\n\n\n The web console, including the Jolokia endpoint, is enabled by default in most ActiveMQ installations. Organizations running older versions often lack visibility into whether Patches are available. Apache has released ActiveMQ Classic 5.19.4 and 6.2.3, both of which remove the ability for the Organizations running ActiveMQ versions 6.0.0 through 6.1.1 should treat remediation as especially urgent, as the combination of CVE-2026-34197 and CVE-2024-32114 enables unauthenticated remote code execution on those versions. Upgrading to 6.2.3 addresses both vulnerabilities.<\/p>\n\n\n\n Defenders should verify patch availability and applicability directly with their vendor or distribution maintainer rather than assuming a fix is available across all environments. Some Linux distributions may still be evaluating the patch for their packaged ActiveMQ versions.<\/p>\n\n\n\n\/api\/jolokia\/<\/code> on the broker’s web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans, including BrokerService.addNetworkConnector(String)<\/code> and BrokerService.addConnector(String)<\/code>.<\/p>\n\n\n\nbrokerConfig<\/code> parameter to load a remote Spring XML application context. Because Spring’s ResourceXmlApplicationContext<\/code> instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker’s JVM through bean factory methods such as Runtime.exec()<\/code>.<\/p>\n\n\n\nadmin:admin<\/code>) remain common across many ActiveMQ deployments. On ActiveMQ versions 6.0.0 through 6.1.1, a separate flaw (CVE-2024-32114) removed the Jolokia endpoint from the web console’s security constraints entirely, making CVE-2026-34197 effectively unauthenticated on those versions.<\/p>\n\n\n\nWhat assets are affected by CVE-2026-34197?<\/h2>\n\n\n\n
8161<\/code> is potentially vulnerable.<\/p>\n\n\n\n8161<\/code> is reachable from untrusted networks. Environments with mixed on-premises and cloud infrastructure are especially prone to having unintentionally exposed management interfaces.<\/p>\n\n\n\nAre fixes available?<\/h2>\n\n\n\n
addNetworkConnector<\/code> operation to add vm:\/\/<\/code> transports. This code path was never intended to be exposed as a remote operation.<\/p>\n\n\n\nAre there any other recommended actions to take?<\/h2>\n\n\n\n