CVE-2026-34197
Description
CVE-2026-34197 is a high-severity RCE vulnerability in Apache ActiveMQ. Patch immediately to versions 5.19.4 or 6.2.3 to prevent remote code injection.
CPE
| Product | Version Start | Version End (excl.) | Status |
|---|---|---|---|
| activemq | * | 5.19.4 | vulnerable |
| activemq | 6.0.0 | 6.2.3 | vulnerable |
| activemq_broker | * | 5.19.4 | vulnerable |
| activemq_broker | 6.0.0 | 6.2.3 | vulnerable |
Related weakness (CWE)
Remediation plan
Apply official patches
Upgrade to Apache ActiveMQ version 5.19.4 or 6.2.3 immediately to address the improper input validation in the Jolokia bridge and prevent unauthorized code execution.
Update affected systems
Identify and update all instances of ActiveMQ Broker and ActiveMQ Classic running versions prior to 5.19.4 or versions between 6.0.0 and 6.2.2 to the latest secure releases.
Restrict access
Limit access to the /api/jolokia/ endpoint and the web console to trusted internal networks only, and enforce strict multi-factor authentication to prevent unauthorized JMX operations.
Monitor for exploitation
Review Jolokia logs for unusual exec operations on BrokerService MBeans and inspect network traffic for outbound connections from the broker to unknown remote Spring XML resources.
Detection Guidance
Monitor web console logs for HTTP POST requests to the /api/jolokia/ endpoint containing addNetworkConnector or addConnector operations. Look for suspicious discovery URIs pointing to external XML files or remote hosts. Additionally, use network security monitoring to detect unauthorized outbound connections from the ActiveMQ broker to external IP addresses, which may indicate the retrieval of a malicious Spring configuration context.