CVE-2026-34197

CVE-2026-34197 is an improper input validation and code injection vulnerability (CWE-20, CWE-94) affecting Apache ActiveMQ Broker, Apache ActiveMQ All, and Apache ActiveMQ. The issue arises in the Jolokia JMX-HTTP bridge exposed at /api/jolokia/ on the web console, where the default access policy allows exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). An attacker can supply a crafted discovery URI that causes the VM transport's brokerConfig parameter to load a remote Spring XML application context via ResourceXmlApplicationContext. This context instantiates singleton beans prior to BrokerService configuration validation, enabling arbitrary code execution on the broker's JVM through bean factory methods such as Runtime.exec(). The vulnerability impacts Apache ActiveMQ Broker versions before 5.19.4 and from 6.0.0 before 6.2.3, with the same version ranges affected for Apache ActiveMQ All and Apache ActiveMQ.

An authenticated attacker with low privileges (PR:L) can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N), achieving high confidentiality, integrity, and availability impact (CVSS 8.8). By invoking the vulnerable MBean operations via the Jolokia bridge, the attacker crafts a discovery URI to trigger remote loading and instantiation of a malicious Spring XML context, resulting in remote code execution within the broker's JVM.

The Apache security advisory recommends upgrading to Apache ActiveMQ versions 5.19.4 or 6.2.3, which address the issue by fixing the vulnerability. Additional details are available in the official announcement and related oss-security mailing list post.

This CVE appears in the CISA Known Exploited Vulnerabilities catalog, indicating active real-world exploitation.