Recently, Apache ActiveMQ officially released a security announcement, disclosing a Remote Code Execution Vulnerability (CVE-2026-34197). An authenticated attacker can exploit the Jolokia JMX-HTTP bridge (/api/jolokia/) to invoke specific MBean operations with a crafted discovery URI that loads a remote Spring XML application context, leading to arbitrary code execution on the broker's JVM.

Apache ActiveMQ is an open-source Java message broker, used to decouple services and manage message queues in distributed systems. If you are an ActiveMQ user, check your system and implement timely security hardening.

Reference:

https://activemq.apache.org/security-advisories.data/CVE-2026-34197-announcement.txt

important

(Severity: low, medium, important, and critical)

Apache ActiveMQ Broker < 5.19.4

6.0.0 < Apache ActiveMQ Broker < 6.2.3

Apache ActiveMQ < 5.19.4

6.0.0 < Apache ActiveMQ < 6.2.3

Apache ActiveMQ Broker >= 5.19.4

Apache ActiveMQ Broker >= 6.2.3

Apache ActiveMQ >= 5.19.4

Apache ActiveMQ >= 6.2.3

This vulnerability has been fixed in later official versions. If your service version falls into the affected range, upgrade it to a latest secure version.

https://activemq.apache.org/components/classic/download/

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.

Get more professional support at any time

Contact Us