CISA warns of Apache ActiveMQ flaw now under active attack
4 min. read 
Published on
CISA has added CVE-2026-34197, a high-severity Apache ActiveMQ vulnerability, to its Known Exploited Vulnerabilities catalog after confirming active exploitation in the wild. The agency added the flaw on April 16, 2026, and set an April 30, 2026 remediation deadline for Federal Civilian Executive Branch agencies under Binding Operational Directive 22-01.
The bug affects Apache ActiveMQ Classic and sits in the Jolokia JMX-HTTP bridge exposed through the web console. Apache says the issue can let an attacker use crafted input to trigger remote code execution on the broker’s JVM through methods such as Runtime.exec().
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
This is not a fully unauthenticated bug in the vendor advisory. Apache and GitHub both describe CVE-2026-34197 as an authenticated code-execution issue, not a no-login remote exploit by default. That distinction matters because some early summaries overstated the risk path.
How the ActiveMQ vulnerability works
According to Apache, ActiveMQ Classic exposes the Jolokia endpoint at /api/jolokia/ on the web console. The default Jolokia access policy allows exec operations on ActiveMQ MBeans, including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String), which creates the opening for abuse.
An attacker with valid access can send a crafted discovery URI that abuses the VM transport’s brokerConfig parameter to load a remote Spring XML application context. Apache says the ResourceXmlApplicationContext initializes singleton beans before the broker validates the configuration, which allows arbitrary code execution on the server.
GitHub rates the flaw at CVSS 8.8 and lists it as a high-severity issue with low attack complexity, no user interaction, and low privileges required. That makes it dangerous in real environments where management interfaces stay exposed or weakly protected.
What versions are affected
Apache’s advisory says the issue affects Apache ActiveMQ Broker before 5.19.4 and versions from 6.0.0 before 6.2.3. GitHub’s advisory, which was updated on April 16, lists patched versions as 5.19.5 and 6.2.3, so defenders should follow the latest patched-version guidance rather than rely on older summaries alone.
CISA’s KEV entry does not describe how attackers are using the flaw in live campaigns, only that there is evidence of active exploitation. That is common for KEV additions. The agency often confirms real-world abuse before publishing public technical detail about the attacks themselves.
For enterprises, the bigger concern is placement. ActiveMQ often sits close to internal application traffic, service orchestration, and message flows. A code-execution flaw in that position can give an attacker a valuable foothold inside business-critical infrastructure, even before lateral movement begins. This is an inference based on ActiveMQ’s role and the server-side code-execution impact described by Apache and CISA.
What organizations should do now
The first step is patching. Apache and GitHub both point defenders to fixed releases, with the newest public advisory state favoring version 5.19.5 or 6.2.3. Organizations that cannot patch immediately should limit exposure to the web console and Jolokia management functionality while they work through remediation.
Security teams should also review who can access the ActiveMQ web console and whether any low-privilege accounts could reach Jolokia endpoints. Because the flaw requires authentication in the official advisories, access control, credential hygiene, and management-surface reduction all matter here.
CISA’s required action is direct: apply mitigations per vendor instructions, follow BOD 22-01 guidance for cloud services where relevant, or discontinue use of the product if mitigations are unavailable. Private-sector organizations are not bound by the directive, but CISA says they should still prioritize KEV fixes as part of normal vulnerability management.
Key details at a glance
| Item | Details |
|---|---|
| CVE | CVE-2026-34197 |
| Product | Apache ActiveMQ Classic |
| Vulnerability type | Improper input validation and code injection |
| Main affected component | Jolokia JMX-HTTP bridge on the web console |
| Exploitation status | Actively exploited, according to CISA |
| Privileges required | Authenticated access, according to Apache and GitHub |
| Fixed versions | 5.19.5 and 6.2.3 in latest GitHub advisory |
| CISA due date for FCEB agencies | April 30, 2026 |
FAQ
Yes. CISA added it to the KEV catalog on April 16, 2026 based on evidence of active exploitation.
Not in the official advisories from Apache and GitHub. Both describe it as an authenticated issue that attackers can abuse through Jolokia MBeans.
The latest GitHub-reviewed advisory says patched versions are 5.19.5 and 6.2.3.
Because the flaw is already under real-world attack and can lead to code execution on an important enterprise messaging platform.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages