Warning: High Severity vulnerability in Apache ActiveMQ, Patch Immediately!

• Last update: 13/04/2026
• Affected software:
  → Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) before 5.19.4
  → Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 6.0.0 before 6.2.3
  → Apache ActiveMQ (org.apache.activemq:activemq-all) before 5.19.4
  → Apache ActiveMQ (org.apache.activemq:activemq-all) 6.0.0 before 6.2.3
• Type: Improper Input Validation and Code Injection
• CVE/CVSS
  → CVE-2026-34197: CVSS 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Sources

https://activemq.apache.org/security-advisories.data/CVE-2026-34197-announcement.txt

Risks

This vulnerability allows an authenticated, remote attacker to execute arbitrary code. This has a high impact on Confidentiality, Integrity and Availability.

Description

The /api/jolokia/ endpoint is exposed in ActiveMQ Classic and allows exec operations on all ActiveMQ MBeans by default. When invoking these operations with a crafted discovery URI to trigger the loading of a remote Spring XML application context. Because all the singleton beans get instantiated before the configuration is validated, Bean factory methods can execute arbitrary code before they are checked. Now the attacker can do anything they want on the system.

Recommended Actions

Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.

Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.

While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.

References

https://nvd.nist.gov/vuln/detail/CVE-2026-34197