Critical 13-Year-Old RCE Flaw in Apache ActiveMQ (CVE-2026-34197) Actively Exploited

Executive Summary

Security researchers have disclosed a critical remote code execution (RCE) vulnerability, CVE-2026-34197, in Apache ActiveMQ Classic, a popular open-source message broker. The vulnerability, which has been latent in the codebase for 13 years, is being actively exploited in the wild. The flaw resides in the Jolokia JMX-HTTP bridge and allows an authenticated attacker to achieve RCE. However, the threat is magnified because it can be chained with CVE-2024-32114, a flaw that makes the vulnerable endpoint completely unauthenticated. This combination allows attackers to achieve unauthenticated RCE, leading to a full system compromise. The Apache Software Foundation has released patches, and immediate action is required.

Vulnerability Details

CVE-2026-34197: This is an improper input validation vulnerability. An authenticated attacker can send a specially crafted request to the addNetworkConnector() operation via the Jolokia API endpoint (/api/jolokia/). By providing a malicious discovery URI, the attacker can trick the ActiveMQ broker into loading a remote Spring XML application context. This allows them to execute arbitrary Java code within the context of the ActiveMQ process.
CVE-2024-32114: This vulnerability, affecting ActiveMQ versions 6.0.0 through 6.1.1, improperly removes security constraints from the /api/* path. The practical effect is that the entire Jolokia API, including the vulnerable addNetworkConnector() method, becomes accessible without any authentication.

The chaining of these two vulnerabilities is what makes this threat so severe. An attacker needs no prior access or credentials to achieve full remote code execution on a vulnerable, internet-facing ActiveMQ server.

Affected Systems

CVE-2026-34197 affects all versions of Apache ActiveMQ Classic prior to 5.19.4 and versions 6.0.0 through 6.2.2.
The unauthenticated exploit chain is possible on versions 6.0.0 through 6.1.1 where both vulnerabilities are present.

Exploitation Status

Multiple security firms, including Horizon3.ai and SentinelOne, have confirmed that CVE-2026-34197 is being actively exploited in the wild. Proof-of-concept (PoC) exploit code is publicly available, lowering the bar for attackers to weaponize this vulnerability.

Impact Assessment

Successful exploitation of this vulnerability chain results in a complete compromise of the ActiveMQ server. An attacker can:

Execute arbitrary commands with the privileges of the ActiveMQ service account.
Steal or manipulate all data passing through the message broker.
Use the compromised server as a pivot point to attack other systems within the internal network.
Deploy ransomware or other malware.

Given that ActiveMQ is often used as a central messaging backbone for enterprise applications, a compromise could have devastating and widespread consequences.

Cyber Observables for Detection

Security teams should hunt for evidence of exploitation in their logs:

Type

url_pattern

Value

/api/jolokia/

Description

Any access to this URL path should be scrutinized. On patched or properly configured systems, it should not be exposed.

Context

Web server access logs, WAF logs, Reverse proxy logs

Confidence

high

Type

string_pattern

Value

addNetworkConnector

Description

The presence of this string in POST data to the Jolokia endpoint is a strong indicator of an exploitation attempt.

Context

WAF logs, Application-level logging

Confidence

high

Type

string_pattern

Value

discoveryURI

Description

The discoveryURI parameter being used with protocols like http:// or ldap:// in a Jolokia request is highly suspicious.

Context

WAF logs, Application-level logging

Confidence

high

Type

process_name

Value

Unusual child processes of the ActiveMQ Java process

Description

Monitor for the ActiveMQ JVM spawning shells (sh, bash, cmd.exe) or network tools (curl, wget).

Context

EDR logs, Host-based monitoring (Sysmon Event ID 1)

Confidence

high

Detection Methods

Vulnerability Scanning: Use a vulnerability scanner to identify all instances of Apache ActiveMQ in your environment and check if they are running a vulnerable version.
Log Analysis: Ingest ActiveMQ and web server logs into a SIEM. Create alerts for any access to the /api/jolokia/ endpoint, especially if it contains the strings addNetworkConnector or discoveryURI.
Network Traffic Analysis: Monitor network traffic for outbound connections from ActiveMQ servers to suspicious IP addresses, which could indicate a reverse shell or data exfiltration.
D3FEND Techniques: Implement D3-NTA: Network Traffic Analysis to detect the anomalous network connections resulting from a successful RCE. Use D3-PA: Process Analysis on the host to detect when the Java process spawns unexpected child processes like a shell.

Remediation Steps

Patch Immediately: The primary remediation is to upgrade to a patched version. The Apache Software Foundation has released:
- ActiveMQ 6.2.3
- ActiveMQ 5.19.4
Workaround (If Patching is Delayed): If immediate patching is not possible, restrict access to the ActiveMQ web console. Ensure that it is not exposed to the public internet. Access should be limited to trusted administrative hosts via firewall rules. Additionally, ensure the jolokia-agent is not enabled in the configuration if it is not explicitly needed.
Verification: After patching, verify that the vulnerable endpoint is no longer accessible and that the application functions as expected.

Unauthenticated RCE Possible in Apache ActiveMQ by Chaining New and Old Vulnerabilities