CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Unauthenticated RCE Vulnerability in Apache ActiveMQ Classic via Jolokia API (CVE-2026-34197)

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A high-severity unauthenticated remote code execution (RCE) vulnerability (CVE-2026-34197) was discovered in Apache ActiveMQ Classic, exposing message brokers to potential compromise for over a decade. The flaw permits attackers to execute arbitrary OS commands by abusing the Jolokia management API, either via default credentials (admin:admin) or through an unauthenticated vector in specific versions (6.0.0-6.1.1) due to a prior issue (CVE-2024-32114). Organizations running vulnerable versions must prioritize patching, as exploitation could lead to full broker compromise and downstream lateral movement in enterprise environments.

Timeline

  1. 08.04.2026 12:15 1 articles · 3h ago

    Unauthenticated RCE in Apache ActiveMQ Classic via Jolokia API (CVE-2026-34197) identified

    A critical unauthenticated RCE vulnerability (CVE-2026-34197) was disclosed in Apache ActiveMQ Classic, affecting versions prior to 5.19.4 and 6.2.3. The flaw leverages the Jolokia management API to execute arbitrary OS commands via remote configuration file retrieval. Exploitation is possible without credentials in versions 6.0.0-6.1.1 due to CVE-2024-32114, while other versions require default credentials. Patches and detection guidance have been issued to mitigate the risk of compromise.

    Show sources
    Open in new tab

Information Snippets

  • CVE-2026-34197 enables unauthenticated RCE in Apache ActiveMQ Classic when the Jolokia API is exposed, either via default credentials or due to CVE-2024-32114 (which removes authentication requirements in versions 6.0.0-6.1.1).

    First reported: 08.04.2026 12:15
    1 source, 1 article
    Show sources

  • The vulnerability chain involves invoking a management operation through the Jolokia API to fetch a remote configuration file and execute arbitrary OS commands on the underlying system.

    First reported: 08.04.2026 12:15
    1 source, 1 article
    Show sources

  • Patched versions include ActiveMQ Classic 5.19.4 and 6.2.3, with mitigation guidance to remove default credentials and monitor for exploitation indicators.

    First reported: 08.04.2026 12:15
    1 source, 1 article
    Show sources

  • Exploitation indicators include POST requests to /api/jolokia/ containing addNetworkConnector in the request body, outbound HTTP connections from the broker process to unexpected hosts, and unexpected child processes spawned by the Java process.

    First reported: 08.04.2026 12:15
    1 source, 1 article
    Show sources

  • Logs of particular interest show network connector activity referencing vm:// URIs with brokerConfig=xbean:http.

    First reported: 08.04.2026 12:15
    1 source, 1 article
    Show sources

  • The flaw was discovered with AI assistance, with Anthropic’s Claude credited for identifying 80% of the exploit path in approximately 10 minutes, compared to an estimated week of manual review.

    First reported: 08.04.2026 12:15
    1 source, 1 article
    Show sources