CVE-2026-34197

Aliases:GHSA-rxpj-7qvf-xv32BIT-activemq-2026-34197
Advisory lineage Upstream: 0 Downstream: 2
Analyzed
Published: 07 Apr 2026, 07:50
Last modified:16 Apr 2026, 18:03

Vulnerability Summary

Overall Risk (default)
medium
36/100
CVSS Score
8.8 HIGH
v3.1 (cve.org)
EPSS Score
6.22% LOW
6% probability 0.00%
KEV
Listed
CISA
1 listing
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

07 Apr 2026, 07:50
Published
Vulnerability first disclosed
16 Apr 2026, 00:00
Added to CISA KEV
Apache ActiveMQ Improper Input Validation Vulnerability
16 Apr 2026, 18:03
Last Modified
Vulnerability information updated
30 Apr 2026, 00:00
CISA Remediation Due
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ All: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.3. Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue

CVSS Metrics

  • v3.1HIGHScore: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 6.22% Percentile: 91%

Techniques & Countermeasures

  • CWE-20Improper Input Validation

    The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

  • CWE-94Improper Control of Generation of Code ('Code Injection')

    The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Affected Systems

  • apache software foundationapache activemq

    < 5.19.4 | ≥ 6.0.0, < 6.2.3

  • apache software foundationapache activemq all

    < 5.19.4 | ≥ 6.0.0, < 6.2.3

  • apache software foundationapache activemq broker

    < 5.19.4 | ≥ 6.0.0, < 6.2.3

  • apacheactivemq

    < 5.19.4 | ≥ 6.0.0, < 6.2.3

  • apacheactivemq_broker

    < 5.19.4 | ≥ 6.0.0, < 6.2.3

  • org.apache.activemqactivemq-all

    < 5.19.5 | ≥ 6.0.0, < 6.2.3

  • org.apache.activemqactivemq-broker

    < 5.19.5 | ≥ 6.0.0, < 6.2.3

References (5)