CISA Adds Apache ActiveMQ Code Injection Vulnerability CVE-2026-34197 to Known Exploited Vulnerabilities Catalog
Summary
CISA added CVE-2026-34197, an Apache ActiveMQ code injection vulnerability, to its Known Exploited Vulnerabilities catalog on April 16, 2026. The vulnerability, rated HIGH at CVSS 8.8 with active exploitation status, allows authenticated attackers to achieve arbitrary code execution through the Jolokia JMX-HTTP bridge. Affected versions include Apache ActiveMQ before 5.19.4 and from 6.0.0 before 6.2.3. Federal civilian agencies are required to remediate per BOD 22-01 remediation timelines.
What changed
CISA added CVE-2026-34197 to its Known Exploited Vulnerabilities catalog, marking it with active exploitation status. The vulnerability stems from improper input validation in the Jolokia JMX-HTTP bridge on Apache ActiveMQ's web console, enabling authenticated attackers to invoke crafted operations that trigger remote Spring XML application context loading, resulting in arbitrary code execution through bean factory methods like Runtime.exec().
Organizations running affected versions of Apache ActiveMQ (before 5.19.4, from 6.0.0 before 6.2.3) face immediate security risk and should upgrade to version 5.19.4 or 6.2.3 as soon as possible. Federal civilian agencies must remediate per BOD 22-01 timelines. All users of Apache ActiveMQ Classic should verify their deployments and apply patches to prevent potential compromise of broker JVMs.
What to do next
- Upgrade Apache ActiveMQ to version 5.19.4 or 6.2.3
Archived snapshot
Apr 17, 2026GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.
Required CVE Record Information
CNA: Apache Software Foundation
Updated:
2026-04-08
Description
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ.
Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including
BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String).
An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext.
Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec().
This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ All: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.3.
Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue
CWE 2 Total
Learn more
- CWE-20: CWE-20 Improper Input Validation
- CWE-94: CWE-94 Improper Control of Generation of Code ('Code Injection')
Product Status
Learn more Versions 2 Total
Default Status: unaffected
affected
affected from 0 before 5.19.4
affected from 6.0.0 before 6.2.3
Versions 2 Total
Default Status: unaffected
affected
affected from 0 before 5.19.4
affected from 6.0.0 before 6.2.3
Versions 2 Total
Default Status: unaffected
affected
affected from 0 before 5.19.4
affected from 6.0.0 before 6.2.3
Credits
- Naveen Sunkavally (Horizon3.ai) finder
References 1 Total
- https://activemq.apache.org/security-advisories.data/CVE-2026-34197-announcement.txt vendor-advisory
CVE Program
References 1 Total
Authorized Data Publishers
CISA-ADP
SSVC and KEV, plus CVSS and CWE if not provided by the CNA.
SSVC 1 Total
Learn more
| Exploitation | Automatable | Technical Impact | Version | Date Accessed |
| --- | --- | --- | --- | --- |
| active | no | total | 2.0.3 | 2026-04-07 |
CVSS 1 Total
Learn more
| Score | Severity | Version | Vector String |
| --- | --- | --- | --- |
| 8.8 | HIGH | 3.1 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Related changes
Get daily alerts for CISA Known Exploited Vulnerabilities (KEV)
Daily digest delivered to your inbox.
Free. Unsubscribe anytime.
Source
About this page
Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission
Source document text, dates, docket IDs, and authority are extracted directly from CISA.
The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.
Classification
Who this affects
Taxonomy
Browse Categories
Get alerts for this source
We'll email you when CISA Known Exploited Vulnerabilities (KEV) publishes new changes.
Subscribed!
Optional. Filters your digest to exactly the updates that matter to you.