Apache ActiveMQ Jolokia Flaws Enable Authenticated Remote Code Execution
Apache ActiveMQ disclosed multiple related vulnerabilities in its Classic broker components that allow authenticated remote code execution through the Jolokia JMX-HTTP bridge exposed on the web console at /api/jolokia/. The flaws let an attacker invoke MBean methods such as BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String) with crafted discovery URIs, abusing the VM transport brokerConfig parameter to load a remote Spring XML application context and execute arbitrary code in the broker JVM.
Apache identified CVE-2026-42588 as the original issue and CVE-2026-45505 as a bypass of the earlier fix for CVE-2026-34197, caused by improper validation of non-parenthesized discovery wrappers including masterslave:vm://...,... and static:vm://.... The affected products are Apache ActiveMQ Broker, Apache ActiveMQ All, and Apache ActiveMQ versions before 5.19.7 and 6.0.0 through before 6.2.6; Apache advises upgrading to 5.19.7 or 6.2.6 to remediate the exposure.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Bypass of CVE-2026-34197 disclosed as CVE-2026-45505
A later disclosure described CVE-2026-45505 as a bypass of the fix for CVE-2026-34197 in Apache ActiveMQ, caused by acceptance of non-parenthesized discovery wrappers such as masterslave:vm:// and static:vm:// during validation. The flaw again enables authenticated attackers using the Jolokia endpoint to trigger remote Spring XML loading and arbitrary code execution, with the same affected version ranges and upgrade guidance to 5.19.7 or 6.2.6.
Apache discloses ActiveMQ RCE via Jolokia addNetworkConnector
Apache disclosed a remote code execution vulnerability in Apache ActiveMQ Classic exposed through the Jolokia JMX-HTTP bridge, allowing an authenticated attacker to invoke BrokerService.addNetworkConnector(String) with a crafted discovery URI and achieve code execution. The issue affects versions before 5.19.7 and 6.0.0 through before 6.2.6, and Apache advised upgrading to 5.19.7 or 6.2.6.
Apache discloses CVE-2026-34197 for ActiveMQ
Apache published a security advisory announcing CVE-2026-34197 affecting ActiveMQ. The reference indicates this earlier flaw later became the basis for a bypass described in subsequent reporting.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
CVE-2026-45505 - Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Jolokia `addNetworkConnector` Discovery Wrapper Bypass
cvefeed.io
Open sourceoss-sec: CVE-2026-42588: Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Remote Code Execution via Jolokia addNetworkConnector
seclists.org
Open source[no-title]
activemq.apache.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Apache ActiveMQ Jolokia Flaws Enable Broker Control and Remote Code Execution
Apache ActiveMQ disclosed two related Jolokia security flaws that let authenticated low-privilege web users perform actions intended for administrators and, in more severe cases, execute arbitrary code on the broker JVM. The first issue, tracked as **`CVE-2026-49157`**, stems from incorrect default Jolokia authorization settings in the web console, allowing non-admin accounts to retain broker-management access and carry out operations such as adding or removing queues. A second flaw, **`CVE-2026-42588`**, allows remote code execution through the Jolokia JMX-HTTP bridge exposed at **`/api/jolokia/`** by invoking MBean `exec` operations such as `BrokerService.addNetworkConnector(String)`. A crafted `masterslave://` discovery URI can abuse the VM transport's `brokerConfig` parameter to load a Spring XML application context via `ResourceXmlApplicationContext`, enabling code execution before configuration validation completes. Both vulnerabilities affect Apache ActiveMQ versions before **`5.19.7`** and versions from **`6.0.0`** before **`6.2.6`**, and Apache has advised users to upgrade to those fixed releases.
Jun 3, 2026
Apache ActiveMQ Jolokia MBean Flaw Enables Authenticated RCE
Apache disclosed **CVE-2026-34197**, an important-severity remote code execution flaw in **Apache ActiveMQ Broker** and **Apache ActiveMQ Classic** that lets authenticated users execute code through the Jolokia JMX-HTTP bridge exposed at `/api/jolokia/`. The default Jolokia access policy permits `exec` operations on ActiveMQ MBeans, allowing attackers to call methods such as `BrokerService.addNetworkConnector(String)` and `BrokerService.addConnector(String)` with a crafted discovery URI. The exploit abuses the VM transport `brokerConfig` parameter to load a remote Spring XML application context via `ResourceXmlApplicationContext`, and Spring may instantiate singleton beans before ActiveMQ validates the configuration, enabling arbitrary code execution in the broker JVM, including through methods like `Runtime.exec()`. Apache said the issue affects versions before **5.19.4** in the 5.x line and **6.0.0 through before 6.2.3** in the 6.x line, and recommends upgrading to **5.19.5** or **6.2.3**; the vulnerability was reported by Naveen Sunkavally of Horizon3.ai.
Apr 23, 2026
Apache ActiveMQ Jolokia Flaws Enable Zero-Credential Remote Code Execution
Active exploitation has been observed against an Apache ActiveMQ remote code execution chain involving the Jolokia management API. VulnCheck reported canary-network hits tied to `CVE-2026-34197`, which was added to CISA's Known Exploited Vulnerabilities catalog, and said attackers are also using an unauthenticated variant that chains `CVE-2024-32114` with `CVE-2026-34197` to achieve zero-credential RCE. According to the reporting, `CVE-2024-32114` removes authentication from the Jolokia endpoint in ActiveMQ versions `6.0.0` through `6.1.1`, exposing the management interface to unauthenticated abuse. Technical details published by Horizon3.ai describe the RCE path through the Jolokia API, while VulnCheck said observed payloads invoked `addNetworkConnector` through Jolokia during exploitation. One captured payload referenced a private IP address, indicating the attacker activity may have reused a lab or proof-of-concept configuration, but the exploitation itself was confirmed in the wild. The combined reporting indicates that exposed ActiveMQ instances with vulnerable Jolokia configurations face immediate risk of unauthenticated remote compromise.
Jun 1, 2026