Cyber Resilience

CVE-2026-34197

HighCISA KEVActive ExploitationEUVD ExploitedRCE

Published: 07 April 2026

Published
07 April 2026
Modified
16 April 2026
KEV Added
16 April 2026
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9631 99.9th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2026-34197 is a high-severity Improper Input Validation (CWE-20) vulnerability in Apache Activemq. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-34197 is an improper input validation and code injection vulnerability affecting Apache ActiveMQ Broker, Apache ActiveMQ All, and Apache ActiveMQ versions before 5.19.4 as well as the 6.0.0 through 6.2.2 release trains. The flaw stems from the Jolokia JMX-HTTP bridge exposed at /api/jolokia/ on the web console; its default access policy permits exec operations against all org.apache.activemq:* MBeans, including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String).

An authenticated attacker can invoke these operations with a crafted discovery URI that causes the VM transport's brokerConfig parameter to load a remote Spring XML application context via ResourceXmlApplicationContext. Because the context instantiates all singleton beans before BrokerService performs configuration validation, the attacker can achieve arbitrary code execution inside the broker JVM, for example by invoking Runtime.exec() from a bean factory method.

The Apache ActiveMQ security advisory and the oss-security posting both recommend immediate upgrade to 5.19.4 or 6.2.3. CISA lists the CVE in its Known Exploited Vulnerabilities catalog, confirming in-the-wild exploitation. The associated EPSS score has remained consistently high (current 0.8346, peak 0.8529), indicating sustained exploitation interest since disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations…

more

on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ All: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.3. Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue

CWE(s)
KEV Date Added
16 April 2026

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Vulnerability in exposed Jolokia JMX-HTTP bridge on ActiveMQ web console enables authenticated attackers to achieve remote code execution via crafted MBean operations and Spring XML context loading, directly facilitating exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-40466Same product: Apache Activemq
CVE-2026-45505Same product: Apache Activemq
CVE-2026-41044Same product: Apache Activemq
CVE-2026-42588Same product: Apache Activemq
CVE-2026-39304Same product: Apache Activemq
CVE-2025-66168Same product: Apache Activemq
CVE-2026-49157Same product: Apache Activemq
CVE-2025-59059Same vendor: Apache
CVE-2025-54466Same vendor: Apache
CVE-2026-35194Same vendor: Apache

Affected Assets

apache
activemq
≤ 5.19.4 · 6.0.0 — 6.2.3
apache
activemq broker
≤ 5.19.4 · 6.0.0 — 6.2.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all inputs (including discovery URIs and brokerConfig parameters) before they are processed by ResourceXmlApplicationContext or BrokerService methods.

prevent

Enforces the Jolokia access policy so that exec operations on org.apache.activemq:* MBeans such as addNetworkConnector are denied for non-privileged subjects.

prevent

Limits the privileges granted to authenticated Jolokia users so they cannot invoke high-risk BrokerService operations that lead to remote class loading and code execution.

References