Secure Cyber Vulnerability Management

17/04/2026
Qualys-Threat-Protect

Apache ActiveMQ Remote Code Execution Vulnerability Added to CISA KEV (CVE-2026-34197)

by Deepanshu Jha

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warns of active exploitation of the Apache ActiveMQ vulnerability (CVE-2026-34197). CISA added the vulnerability to its Known Exploited Vulnerabilities Catalog, urging users to patch before April 30, 2026. Successful exploitation of the vulnerability may allow an attacker to execute arbitrary code on vulnerable installations.

Apache ActiveMQ is a popular, open-source, multi-protocol Java-based message broker designed to facilitate communication between distributed applications. It supports standard messaging protocols (AMQP, MQTT, STOMP) and acts as an intermediary, enabling reliable asynchronous messaging and decoupling of system components.

Vulnerability Details

An improper input validation and code injection vulnerability in Apache ActiveMQ Broker exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including  BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String).

An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport’s brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext.

Because Spring’s ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker’s JVM through bean factory methods such as Runtime.exec().

Affected Versions

  • Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) before 5.19.4
  • Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 6.0.0 before 6.2.3
  • Apache ActiveMQ (org.apache.activemq:activemq-all) before 5.19.4
  • Apache ActiveMQ (org.apache.activemq:activemq-all) 6.0.0 before 6.2.3

Mitigation

Users must upgrade to the Apache ActiveMQ version 5.19.4 or 6.2.3 to patch the vulnerability.

For more information, please refer to the Apache security advisory.

Qualys Detection

Qualys customers can scan their devices with QID 733976 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://activemq.apache.org/security-advisories.data/CVE-2026-34197-announcement.txt

Comments are closed.

You may also like