CVE-2026-34197
Apache ActiveMQ Improper Input Validation Vulnerability - [Actively Exploited]
Description
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ All: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.3. Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue
INFO
Published Date :
April 7, 2026, 9:16 a.m.
Last Modified :
April 16, 2026, 7:59 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CISA KEV (Known Exploited Vulnerabilities)
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.
Apache ActiveMQ contains an improper input validation vulnerability that allows for code injection.
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Unknown
https://activemq.apache.org/security-advisories.data/CVE-2026-34197-announcement.txt ; https://nvd.nist.gov/vuln/detail/CVE-2026-34197
Affected Products
The following products are affected by CVE-2026-34197
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | HIGH | 134c704f-9b21-4f2e-91b3-4a467353bcc0 |
Solution
- Upgrade ActiveMQ Classic to 5.19.5 or later.
- Upgrade ActiveMQ to 6.2.3 or later.
- Apply vendor-provided patches for ActiveMQ.
Public PoC/Exploit Available at Github
CVE-2026-34197 has a 13 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2026-34197.
| URL | Resource |
|---|---|
| https://activemq.apache.org/security-advisories.data/CVE-2026-34197-announcement.txt | Vendor Advisory |
| http://www.openwall.com/lists/oss-security/2026/04/06/3 | Mailing List Third Party Advisory |
| https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-34197 | US Government Resource |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2026-34197 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2026-34197
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
支持检测和利用ActiveMQ漏洞,CVE-2015-5254,CVE-2016-3088,CVE-2022-41678,CVE-2023-46604,CVE-2024-32114,CVE-2026-34197
Java
None
Python
CVE-2026-34197: Apache ActiveMQ Classic RCE via Jolokia API (CVSS 8.8). Python & Nmap NSE detection scripts. A 13-year-old vulnerability allows remote code execution through the addNetworkConnector MBean operation. Unauthenticated on versions 6.0.0 to 6.1.1. Fixed in 5.19.4 and 6.2.3.
activemq apache-activemq cybersecurity jolokia nmap-scripts nse-scripts remote-code-execution vulnerability-detection cve-2026-34197
Python Lua
Vulhub漏洞搭建Skill,用于帮助安全工程师快速使用Vulhub搭建漏洞复现环境
Python
POC
Python
CVE-2026-34197 — Apache ActiveMQ RCE via Jolokia API | PoC Exploit
Python
CVE-2026-34197
Python
CVE-2026-34197 - Apache ActiveMQ RCE via Jolokia Endpoint PoC
Python
CVE-2026-34197 activemq PoC
Python
CVE-2026-34197
AI-powered subdomain enumeration tool with local LLM analysis via Ollama - 100% private, zero API costs
ai-security bug-bounty cve cybersecurity ethical-hacking golang hacking infosec osint pentesting recon reconnaissance security subdomain-enumeration vulnerability-scanner
Go
None
爬取secwiki和xuanwu.github.io/sec.today,分析安全信息站点、安全趋势、提取安全工作者账号(twitter,weixin,github等)
Python HTML
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-34197 vulnerability anywhere in the article.
-
The Hacker News
Microsoft Patches Critical ASP.NET Core CVE-2026-40372 Privilege Escalation Bug
Microsoft has released out-of-band updates to address a security vulnerability in ASP.NET Core that could allow an attacker to escalate privileges. The vulnerability, tracked as CVE-2026-40372, carrie ... Read more
-
The Hacker News
Cohere AI Terrarium Sandbox Flaw Enables Root Code Execution, Container Escape
A critical security vulnerability has been disclosed in a Python-based sandbox called Terrarium that could result in arbitrary code execution. The vulnerability, tracked as CVE-2026-5752, is rated 9.3 ... Read more
-
The Hacker News
22 BRIDGE:BREAK Flaws Expose 20,000 Lantronix and Silex Serial-to-IP Converters
Cybersecurity researchers have identified 22 new vulnerabilities in popular models of serial-to-IP converters from Lantronix and Silex that could be exploited to hijack susceptible devices and tamper ... Read more
-
CybersecurityNews
CISA Warns of Cisco Catalyst SD-WAN Manager Vulnerabilities Exploited in Attacks
CISA has added three critical Cisco Catalyst SD-WAN Manager vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies and organizations to act immediately. All thre ... Read more
-
CybersecurityNews
6000+ Apache ActiveMQ Instances Vulnerable to CVE-2026-34197 Exposed Online
More than 6,000 internet-exposed Apache ActiveMQ instances are still vulnerable to CVE-2026-34197. This newly tracked security flaw has now been added to the U.S. Cybersecurity and Infrastructure Secu ... Read more
-
CybersecurityNews
Hackers Use Nightmare-Eclipse Tools After Compromising FortiGate SSL VPN Access
A real-world intrusion campaign leveraging publicly available Nightmare-Eclipse privilege escalation tooling, BlueHammer, RedSun, and UnDefend, following what appears to be unauthorized access through ... Read more
-
The Hacker News
Google Patches Antigravity IDE Flaw Enabling Prompt Injection Code Execution
Cybersecurity researchers have discovered a vulnerability in Google's agentic integrated development environment (IDE), Antigravity, that could be exploited to achieve code execution. The flaw, since ... Read more
-
The Hacker News
CISA Adds 8 Exploited Flaws to KEV, Sets April-May 2026 Federal Deadlines
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added eight new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, including three flaws impacting Cisco C ... Read more
-
The Register
CISA tells feds to patch 13-year-old Apache ActiveMQ bug under active attack
CISA is sounding the alarm on a newly-exploited Apache ActiveMQ bug, ordering federal agencies to patch within two weeks as attackers circle a flaw that's been quietly lurking for more than a decade. ... Read more
-
security.nl
CISA meldt actief misbruik van kritiek lek in Apache ActiveMQ
Een kritieke kwetsbaarheid in Apache ActiveMQ wordt actief misbruikt, zo waarschuwt het Cybersecurity and Infrastructure Security Agency (CISA) van het Amerikaanse ministerie van Homeland Security. De ... Read more
-
CybersecurityNews
CISA Warns of Apache ActiveMQ Input Validation Vulnerability Exploited in Attacks
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning regarding a critical security defect in Apache ActiveMQ. On April 16, 2026, the agency officially added the vul ... Read more
-
The Hacker News
Apache ActiveMQ CVE-2026-34197 Added to CISA KEV Amid Active Exploitation
A recently disclosed high-severity security flaw in Apache ActiveMQ Classic has come under active exploitation in the wild, per the U.S. Cybersecurity and Infrastructure Security Agency (CISA). To tha ... Read more
-
Daily CyberSecurity
High-Severity SSRF Flaw Uncovered in Angular’s Server-Side Rendering
Angular stands as a titan, powering everything from sleek mobile apps to massive enterprise desktop platforms. However, a high-severity security vulnerability has recently been unmasked in the @angula ... Read more
-
Daily CyberSecurity
CISA Adds Critical Apache ActiveMQ RCE Flaw to KEV Catalog
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent directive after adding a high-severity vulnerability in Apache ActiveMQ to its Known Exploited Vulnerabilities (KEV) Ca ... Read more
-
The Hacker News
⚡ Weekly Recap: Fiber Optic Spying, Windows Rootkit, AI Vulnerability Hunting and More
Monday is back, and the weekend’s backlog of chaos is officially hitting the fan. We are tracking a critical zero-day that has been quietly living in your PDFs for months, plus some aggressive state-s ... Read more
-
Help Net Security
Week in review: Windows zero-day exploit leaked, Patch Tuesday forecast
Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Cloudflare moves up its post-quantum deadline as researchers narrow the path to Q-Day Cloudflare annou ... Read more
-
Help Net Security
April 2026 Patch Tuesday forecast: Spring-cleaning of a preview
I just blinked and the first quarter of the year is GONE. Where does the time go? I looked back at my article from last month where I touched on the use of AI and some of the vulnerabilities associate ... Read more
-
Help Net Security
Claude helps researcher dig up decade-old Apache ActiveMQ RCE vulnerability (CVE-2026-34197)
In the latest demonstration of how AI assistants can help with bug hunting, Horizon3.ai researcher Naveen Sunkavally used Claude to unearth CVE-2026-34197, a remote code execution vulnerability in Apa ... Read more
-
The Hacker News
ThreatsDay Bulletin: Hybrid P2P Botnet, 13-Year-Old Apache RCE and 18 More Stories
Thursday. Another week, another batch of things that probably should've been caught sooner but weren't.This one's got some range — old vulnerabilities getting new life, a few "why was that even possib ... Read more
-
Daily CyberSecurity
CVE-2026-34208 (CVSS 10): Critical Sandbox Escape Uncovered in SandboxJS
In the world of secure software development, sandboxing is the ultimate safety net—a controlled environment designed to run untrusted code without letting it touch the “real” system. However, a critic ... Read more
The following table lists the changes that have been made to the
CVE-2026-34197 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Apr. 16, 2026
Action Type Old Value New Value Added CPE Configuration OR *cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:* versions up to (excluding) 5.19.4 *cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:* versions from (including) 6.0.0 up to (excluding) 6.2.3 *cpe:2.3:a:apache:activemq_broker:*:*:*:*:*:*:*:* versions up to (excluding) 5.19.4 *cpe:2.3:a:apache:activemq_broker:*:*:*:*:*:*:*:* versions from (including) 6.0.0 up to (excluding) 6.2.3 Added Reference Type Apache Software Foundation: https://activemq.apache.org/security-advisories.data/CVE-2026-34197-announcement.txt Types: Vendor Advisory Added Reference Type CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-34197 Types: US Government Resource Added Reference Type CVE: http://www.openwall.com/lists/oss-security/2026/04/06/3 Types: Mailing List, Third Party Advisory -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Apr. 16, 2026
Action Type Old Value New Value Added Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-34197 -
CVE CISA KEV Update by 9119a7d8-5eab-497f-8521-727c672e3725
Apr. 16, 2026
Action Type Old Value New Value Added Date Added 2026-04-16 Added Due Date 2026-04-30 Added Vulnerability Name Apache ActiveMQ Improper Input Validation Vulnerability Added Required Action Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. -
CVE Modified by [email protected]
Apr. 08, 2026
Action Type Old Value New Value Changed Description Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: . Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue. Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ All: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.3. Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue -
CVE Modified by [email protected]
Apr. 08, 2026
Action Type Old Value New Value Changed Description Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: . Users are recommended to upgrade to version 5.19.5 or 6.2.3, which fixes the issue. Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: . Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue. -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Apr. 07, 2026
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H -
New CVE Received by [email protected]
Apr. 07, 2026
Action Type Old Value New Value Added Description Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: . Users are recommended to upgrade to version 5.19.5 or 6.2.3, which fixes the issue. Added CWE CWE-94 Added CWE CWE-20 Added Reference https://activemq.apache.org/security-advisories.data/CVE-2026-34197-announcement.txt -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Apr. 07, 2026
Action Type Old Value New Value Added Reference http://www.openwall.com/lists/oss-security/2026/04/06/3