Apache ActiveMQ Jolokia Flaws Enable Zero-Credential Remote Code Execution
Active exploitation has been observed against an Apache ActiveMQ remote code execution chain involving the Jolokia management API. VulnCheck reported canary-network hits tied to CVE-2026-34197, which was added to CISA's Known Exploited Vulnerabilities catalog, and said attackers are also using an unauthenticated variant that chains CVE-2024-32114 with CVE-2026-34197 to achieve zero-credential RCE. According to the reporting, CVE-2024-32114 removes authentication from the Jolokia endpoint in ActiveMQ versions 6.0.0 through 6.1.1, exposing the management interface to unauthenticated abuse.
Technical details published by Horizon3.ai describe the RCE path through the Jolokia API, while VulnCheck said observed payloads invoked addNetworkConnector through Jolokia during exploitation. One captured payload referenced a private IP address, indicating the attacker activity may have reused a lab or proof-of-concept configuration, but the exploitation itself was confirmed in the wild. The combined reporting indicates that exposed ActiveMQ instances with vulnerable Jolokia configurations face immediate risk of unauthenticated remote compromise.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Apache discloses CVE-2026-45505 ActiveMQ Jolokia wrapper bypass
Apache disclosed CVE-2026-45505, an ActiveMQ Jolokia addNetworkConnector discovery wrapper bypass that can lead to code injection and remote code execution on the broker JVM. The advisory says the issue affects versions before 5.19.7 and 6.2.6 and recommends upgrading to those releases.
Rapid7 opens pull request for Metasploit ActiveMQ Jolokia exploit module
A Rapid7 Metasploit Framework pull request was opened to add an exploit module and documentation for the Apache ActiveMQ Jolokia remote code execution issue tracked as CVE-2026-34197. The reference indicates the proof of concept was working but rough, marking a new public exploit-tooling development after earlier technical disclosure.
VulnCheck observes active exploitation of ActiveMQ Jolokia RCE chain
VulnCheck reported canary network hits showing attackers actively exploiting a chain combining CVE-2024-32114 and CVE-2026-34197 to achieve zero-credential remote code execution against Apache ActiveMQ. The captured payload used the Jolokia API addNetworkConnector method and referenced a private IP address, suggesting a lab or proof-of-concept configuration may have been reused.
Horizon3.ai publishes technical disclosure for CVE-2026-34197
Horizon3.ai published a disclosure covering CVE-2026-34197, describing Apache ActiveMQ remote code execution via the Jolokia API. The publication marked a public release of technical details for the flaw.
VulnCheck adds CVE-2024-32114 to its KEV list
After confirming exploitation through its canary network, VulnCheck added CVE-2024-32114 to its own Known Exploited Vulnerabilities list. This reflected a newly documented unauthenticated variant of the ActiveMQ Jolokia attack chain that was not listed in CISA KEV.
CVE-2026-34197 added to CISA Known Exploited Vulnerabilities catalog
CVE-2026-34197, an Apache ActiveMQ Jolokia-related remote code execution issue, was added to CISA's KEV catalog during the week referenced by VulnCheck. Its inclusion indicated confirmed in-the-wild exploitation.
Apache ActiveMQ Jolokia auth bypass affects versions 6.0.0 through 6.1.1
CVE-2024-32114 was identified as removing authentication from the Jolokia endpoint in Apache ActiveMQ versions 6.0.0 through 6.1.1. This issue enabled unauthenticated access that could later be chained with another flaw for remote code execution.
Sources
4 references tracked. Mallory keeps watching after this page renders.
CVE-2026-45505: Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Jolokia `addNetworkConnector` Discovery Wrapper Bypass-Apache Mail Archives
lists.apache.org
Open sourceActivemq jolokia exploit (CVE-2026-34197) by h00die · Pull Request #21497 · rapid7/metasploit-framework · GitHub
github.com
Open sourceCVE-2026-34197 ActiveMQ RCE via Jolokia API | Horizon3.ai
horizon3.ai
Open sourceApache ActiveMQ Jolokia RCE Exploitation Underway | Jacob Baines posted on the topic | LinkedIn
linkedin.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Apache ActiveMQ Jolokia Flaws Enable Broker Control and Remote Code Execution
Apache ActiveMQ disclosed two related Jolokia security flaws that let authenticated low-privilege web users perform actions intended for administrators and, in more severe cases, execute arbitrary code on the broker JVM. The first issue, tracked as **`CVE-2026-49157`**, stems from incorrect default Jolokia authorization settings in the web console, allowing non-admin accounts to retain broker-management access and carry out operations such as adding or removing queues. A second flaw, **`CVE-2026-42588`**, allows remote code execution through the Jolokia JMX-HTTP bridge exposed at **`/api/jolokia/`** by invoking MBean `exec` operations such as `BrokerService.addNetworkConnector(String)`. A crafted `masterslave://` discovery URI can abuse the VM transport's `brokerConfig` parameter to load a Spring XML application context via `ResourceXmlApplicationContext`, enabling code execution before configuration validation completes. Both vulnerabilities affect Apache ActiveMQ versions before **`5.19.7`** and versions from **`6.0.0`** before **`6.2.6`**, and Apache has advised users to upgrade to those fixed releases.
Jun 3, 2026
Apache ActiveMQ Jolokia Flaws Enable Authenticated Remote Code Execution
Apache ActiveMQ disclosed multiple related vulnerabilities in its Classic broker components that allow authenticated remote code execution through the Jolokia JMX-HTTP bridge exposed on the web console at `/api/jolokia/`. The flaws let an attacker invoke MBean methods such as `BrokerService.addNetworkConnector(String)` and `BrokerService.addConnector(String)` with crafted discovery URIs, abusing the VM transport `brokerConfig` parameter to load a remote Spring XML application context and execute arbitrary code in the broker JVM. Apache identified CVE-2026-42588 as the original issue and CVE-2026-45505 as a bypass of the earlier fix for CVE-2026-34197, caused by improper validation of non-parenthesized discovery wrappers including `masterslave:vm://...,...` and `static:vm://...`. The affected products are Apache ActiveMQ Broker, Apache ActiveMQ All, and Apache ActiveMQ versions before `5.19.7` and `6.0.0` through before `6.2.6`; Apache advises upgrading to `5.19.7` or `6.2.6` to remediate the exposure.
Jun 1, 2026
Apache ActiveMQ Jolokia MBean Flaw Enables Authenticated RCE
Apache disclosed **CVE-2026-34197**, an important-severity remote code execution flaw in **Apache ActiveMQ Broker** and **Apache ActiveMQ Classic** that lets authenticated users execute code through the Jolokia JMX-HTTP bridge exposed at `/api/jolokia/`. The default Jolokia access policy permits `exec` operations on ActiveMQ MBeans, allowing attackers to call methods such as `BrokerService.addNetworkConnector(String)` and `BrokerService.addConnector(String)` with a crafted discovery URI. The exploit abuses the VM transport `brokerConfig` parameter to load a remote Spring XML application context via `ResourceXmlApplicationContext`, and Spring may instantiate singleton beans before ActiveMQ validates the configuration, enabling arbitrary code execution in the broker JVM, including through methods like `Runtime.exec()`. Apache said the issue affects versions before **5.19.4** in the 5.x line and **6.0.0 through before 6.2.3** in the 6.x line, and recommends upgrading to **5.19.5** or **6.2.3**; the vulnerability was reported by Naveen Sunkavally of Horizon3.ai.
Apr 23, 2026