Apache ActiveMQ Jolokia Flaws Enable Broker Control and Remote Code Execution
Apache ActiveMQ disclosed two related Jolokia security flaws that let authenticated low-privilege web users perform actions intended for administrators and, in more severe cases, execute arbitrary code on the broker JVM. The first issue, tracked as CVE-2026-49157, stems from incorrect default Jolokia authorization settings in the web console, allowing non-admin accounts to retain broker-management access and carry out operations such as adding or removing queues.
A second flaw, CVE-2026-42588, allows remote code execution through the Jolokia JMX-HTTP bridge exposed at /api/jolokia/ by invoking MBean exec operations such as BrokerService.addNetworkConnector(String). A crafted masterslave:// discovery URI can abuse the VM transport's brokerConfig parameter to load a Spring XML application context via ResourceXmlApplicationContext, enabling code execution before configuration validation completes. Both vulnerabilities affect Apache ActiveMQ versions before 5.19.7 and versions from 6.0.0 before 6.2.6, and Apache has advised users to upgrade to those fixed releases.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
CVE-2026-42253 disclosed in ActiveMQ MessageServlet header injection
A newly reported critical flaw, CVE-2026-42253, allows HTTP response header injection via improperly sanitized JMS message properties in ActiveMQ's MessageServlet used by the web console API. The issue affects versions before 5.19.7 and 6.0.0 through 6.2.5, and Apache addressed it by disabling and deprecating MessageServlet in patched releases.
CVE-2026-45505 disclosed as another critical ActiveMQ Jolokia flaw
Reporting identified CVE-2026-45505 as a newly disclosed critical Apache ActiveMQ vulnerability affecting the Jolokia/web console management path. Under certain conditions, it can allow attackers to load malicious configurations and achieve arbitrary code execution.
CVE-2026-42588 details ActiveMQ RCE via Jolokia addNetworkConnector
Technical details were published for CVE-2026-42588, describing how an authenticated attacker could use Jolokia's exec operations on ActiveMQ MBeans and a crafted masterslave:// URI to trigger Spring XML loading and achieve arbitrary code execution on the broker JVM. The issue affects Apache ActiveMQ versions before 5.19.7 and 6.0.0 through before 6.2.6.
Apache recommends fixed ActiveMQ versions 5.19.7 and 6.2.6
In its vulnerability disclosure, Apache recommended upgrading ActiveMQ to versions 5.19.7 or 6.2.6 to remediate the Jolokia-related security issue. The same affected-version ranges are also cited in reporting on CVE-2026-42588.
Apache discloses CVE-2026-49157 in ActiveMQ Jolokia permissions
Apache ActiveMQ disclosed CVE-2026-49157, an incorrect default-permissions flaw in Jolokia authorization that let authenticated low-privilege web users retain broker-management capabilities intended for administrators. The issue affects versions before 5.19.7 and 6.0.0 through before 6.2.6, and Apache said it was reported by Leon Johnson.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Critical Apache ActiveMQ Vulnerability Allows Malicious Security Header Injections
cybersecuritynews.com
Open sourceActiveMQ Security Flaws Expose Message Brokers
securityonline.info
Open sourceCVE-2026-42588 - Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Remote Code Execution via Jolokia addNetworkConnector
cvefeed.io
Open sourceCVE-2026-49157: Apache ActiveMQ: Authenticated low-privilege Web users retain Jolokia broker-management capability by default-Apache Mail Archives
lists.apache.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Apache ActiveMQ Jolokia Flaws Enable Authenticated Remote Code Execution
Apache ActiveMQ disclosed multiple related vulnerabilities in its Classic broker components that allow authenticated remote code execution through the Jolokia JMX-HTTP bridge exposed on the web console at `/api/jolokia/`. The flaws let an attacker invoke MBean methods such as `BrokerService.addNetworkConnector(String)` and `BrokerService.addConnector(String)` with crafted discovery URIs, abusing the VM transport `brokerConfig` parameter to load a remote Spring XML application context and execute arbitrary code in the broker JVM. Apache identified CVE-2026-42588 as the original issue and CVE-2026-45505 as a bypass of the earlier fix for CVE-2026-34197, caused by improper validation of non-parenthesized discovery wrappers including `masterslave:vm://...,...` and `static:vm://...`. The affected products are Apache ActiveMQ Broker, Apache ActiveMQ All, and Apache ActiveMQ versions before `5.19.7` and `6.0.0` through before `6.2.6`; Apache advises upgrading to `5.19.7` or `6.2.6` to remediate the exposure.
Jun 1, 2026
Apache ActiveMQ Jolokia MBean Flaw Enables Authenticated RCE
Apache disclosed **CVE-2026-34197**, an important-severity remote code execution flaw in **Apache ActiveMQ Broker** and **Apache ActiveMQ Classic** that lets authenticated users execute code through the Jolokia JMX-HTTP bridge exposed at `/api/jolokia/`. The default Jolokia access policy permits `exec` operations on ActiveMQ MBeans, allowing attackers to call methods such as `BrokerService.addNetworkConnector(String)` and `BrokerService.addConnector(String)` with a crafted discovery URI. The exploit abuses the VM transport `brokerConfig` parameter to load a remote Spring XML application context via `ResourceXmlApplicationContext`, and Spring may instantiate singleton beans before ActiveMQ validates the configuration, enabling arbitrary code execution in the broker JVM, including through methods like `Runtime.exec()`. Apache said the issue affects versions before **5.19.4** in the 5.x line and **6.0.0 through before 6.2.3** in the 6.x line, and recommends upgrading to **5.19.5** or **6.2.3**; the vulnerability was reported by Naveen Sunkavally of Horizon3.ai.
Apr 23, 2026
Apache ActiveMQ Jolokia Flaws Enable Zero-Credential Remote Code Execution
Active exploitation has been observed against an Apache ActiveMQ remote code execution chain involving the Jolokia management API. VulnCheck reported canary-network hits tied to `CVE-2026-34197`, which was added to CISA's Known Exploited Vulnerabilities catalog, and said attackers are also using an unauthenticated variant that chains `CVE-2024-32114` with `CVE-2026-34197` to achieve zero-credential RCE. According to the reporting, `CVE-2024-32114` removes authentication from the Jolokia endpoint in ActiveMQ versions `6.0.0` through `6.1.1`, exposing the management interface to unauthenticated abuse. Technical details published by Horizon3.ai describe the RCE path through the Jolokia API, while VulnCheck said observed payloads invoked `addNetworkConnector` through Jolokia during exploitation. One captured payload referenced a private IP address, indicating the attacker activity may have reused a lab or proof-of-concept configuration, but the exploitation itself was confirmed in the wild. The combined reporting indicates that exposed ActiveMQ instances with vulnerable Jolokia configurations face immediate risk of unauthenticated remote compromise.
Jun 1, 2026