Apache ActiveMQ Broker RCE via Jolokia JMX Bridge
CVE Notify is flagging a critical vulnerability, CVE-2026-34197, impacting Apache ActiveMQ Classic. This flaw hinges on the Jolokia JMX-HTTP bridge, exposed by default on the web console’s /api/jolokia/ endpoint. The default configuration for Jolokia allows exec operations on all ActiveMQ MBeans, including sensitive ones like BrokerService.addNetworkConnector and BrokerService.addConnector.
An authenticated attacker can leverage this by sending a specially crafted discovery URI. This URI tricks the VM transport’s brokerConfig parameter into loading a remote Spring XML application context. The kicker? Spring’s ResourceXmlApplicationContext initializes all singleton beans before the ActiveMQ Broker can validate the configuration. This provides a golden opportunity for arbitrary code execution within the broker’s JVM, often through built-in bean factory methods like Runtime.exec().
This vulnerability affects Apache ActiveMQ Broker versions prior to 5.19.4 and versions from 6.0.0 up to, but not including, 6.2.3. CVE Notify strongly advises upgrading to either 5.19.4 or 6.2.3 to patch this significant security hole.
What This Means For You
- Organizations running Apache ActiveMQ Classic must immediately audit their configurations for exposed Jolokia endpoints and ensure they are running patched versions (5.19.4+ or 6.2.3+), as this RCE can be triggered by an authenticated attacker.
Related ATT&CK Techniques
🛡️ Detection Rules
1 rule · 6 SIEM formats1 detection rule mapped to MITRE ATT&CK. Free Sigma YAML below.
Web Application Exploitation Attempt — CVE-2026-34197
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-34197 | Code Injection | Apache ActiveMQ Broker and Apache ActiveMQ Classic, versions before 5.19.4 and from 6.0.0 before 6.2.3. Vulnerable component: Jolokia JMX-HTTP bridge at /api/jolokia/. Exploitation involves invoking BrokerService.addNetworkConnector(String) or BrokerService.addConnector(String) via crafted discovery URI to load remote Spring XML application context, leading to arbitrary code execution via Runtime.exec(). |
| CVE-2026-34197 | Misconfiguration | Apache ActiveMQ Broker and Apache ActiveMQ Classic, versions before 5.19.4 and from 6.0.0 before 6.2.3. Default Jolokia access policy permits 'exec' operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String), enabling exploitation. |
| CVE-2026-34197 | RCE | Apache ActiveMQ Broker and Apache ActiveMQ Classic, versions before 5.19.4 and from 6.0.0 before 6.2.3. Exploitation via Jolokia JMX-HTTP bridge (/api/jolokia/) using ResourceXmlApplicationContext to load remote Spring XML, triggering bean factory methods like Runtime.exec() on the broker's JVM. |
Related coverage
npm Boosts Supply Chain Security with 2FA-Gated Staged Publishing
GitHub has rolled out new controls for npm, significantly enhancing software supply chain security. The Hacker News reports that these features, now generally available, introduce...
Packagist Supply Chain Attack Infects 8 Packages with Linux Malware
A new, coordinated supply chain attack has compromised eight packages on Packagist. The attack injects malicious code designed to retrieve and execute a Linux binary...
Anthropic AI Finds 10,000 High-Severity Flaws in Critical Software
Anthropic's Project Glasswing, an AI-driven cybersecurity initiative, has reportedly uncovered over 10,000 high- or critical-severity vulnerabilities in globally significant software. The Hacker News reports that...