💻 AppSec

Apache ActiveMQ CVE-2026-34197: 13-Year-Old Jolokia API Flaw Enables Unauthenticated RCE

A critical unauthenticated remote code execution vulnerability in Apache ActiveMQ's Jolokia management API allows attackers to execute arbitrary OS commands by invoking a management MBean. CVE-2026-34197 roots in a design flaw present since ActiveMQ 5.x and chains dangerously with CVE-2024-32114. Patches are available in ActiveMQ 6.2.3 and 5.19.4.

4 min read
#apache#activemq#rce#jolokia#cve-2026-34197#unauthenticated#message-broker#java#cve-2024-32114

Apache ActiveMQ, the widely-deployed open-source message broker used across enterprise middleware stacks in banking, healthcare, and logistics, has a critical unauthenticated remote code execution vulnerability. CVE-2026-34197, disclosed on 8 April 2026, carries a CVSS score of 9.8 and is rooted in a design flaw in the Jolokia management API that has been present since ActiveMQ 5.x — making this a 13-year-old architectural weakness that was never addressed during the major 6.x rewrite. Patches are available and should be applied immediately.

The Vulnerability

Apache ActiveMQ ships with the Jolokia JMX-over-HTTP bridge enabled by default. Jolokia exposes Java Management Extensions (JMX) MBeans as a REST API, intended to provide administrative monitoring capability. CVE-2026-34197 exploits a specific MBean operation: addNetworkConnector, which allows the ActiveMQ broker to establish a new connection to a remote broker or connector URI.

By invoking addNetworkConnector via the Jolokia API with a crafted URI pointing to an attacker-controlled host, a remote unauthenticated attacker causes the ActiveMQ broker to fetch a remote XML configuration file. This file, parsed by ActiveMQ’s ClassInfo loader, can specify an arbitrary Java class for instantiation — resulting in arbitrary OS command execution under the broker’s service account. No credentials are required; the Jolokia endpoint in ActiveMQ 6.0.0 through 6.1.1 is unauthenticated in the default configuration.

This is a significant regression from ActiveMQ 5.x, where Jolokia required authentication by default. The 6.x configuration change was noted in release documentation but not prominently highlighted, and organisations that auto-migrated configurations from 5.x may not have noticed the change in the default Jolokia authentication posture.

The CVE-2024-32114 Chain

CVE-2026-34197 is most dangerous in combination with CVE-2024-32114, an existing authentication bypass in ActiveMQ’s OpenWire broker protocol that allowed unauthenticated clients to interact with the broker’s administrative channels. Together, the two vulnerabilities create an exploit chain that Horizon3.ai has confirmed in a working proof-of-concept, achieving full unauthenticated root-level OS command execution in under five seconds against an unpatched, default-configured ActiveMQ 6.x broker.

Horizon3.ai’s post-exploitation analysis shows the attack yields file system access as the ActiveMQ service account — which in many enterprise deployments runs with broad permissions due to the broker’s need to read queued messages, write log files, and interact with connected systems. In containerised deployments, exploitation directly compromises the container and can enable container escape if the pod is privileged. In bare-metal or VM deployments, the service account context is typically sufficient for further privilege escalation.

The published Horizon3.ai research includes indicators of compromise and detection artefacts. Given the maturity and quality of this research, weaponised exploit tooling is expected to be integrated into widely-available frameworks rapidly.

Affected Versions

CVE-2026-34197 affects:

  • Apache ActiveMQ 6.0.0 through 6.1.1 — critical exposure; Jolokia is unauthenticated on port 8161 by default
  • Apache ActiveMQ 5.x prior to 5.19.4 — affected if Jolokia has been explicitly enabled

Fixed versions:

  • Apache ActiveMQ 6.2.3 — the recommended upgrade path for all 6.x deployments
  • Apache ActiveMQ 5.19.4 — the patch for 5.x deployments; note that 5.x is in limited support and migration to 6.x is encouraged
  • Upgrade to ActiveMQ 6.2.3 or 5.19.4 immediately. The patch disables unauthenticated Jolokia access in 6.x deployments and removes the unsafe ClassInfo loader invocation path that enables the command execution step.
  • Disable Jolokia if administrative access is not required. In conf/jolokia-access.xml, restrict all Jolokia commands, or remove Jolokia entirely from the ActiveMQ plugin configuration. In most production deployments, Jolokia is not operationally necessary and should be disabled as a matter of hardening.
  • Network-segment the ActiveMQ administrative port (8161). The broker administrative interface should not be reachable from general-purpose networks or the internet under any circumstances. Firewall rules limiting port 8161 to authorised management hosts significantly reduce the attack surface regardless of patch status.
  • Audit service account privileges. The ActiveMQ service account should run with the minimum privileges required — not as root or a broad system account. Least-privilege service accounts directly limit the impact of successful exploitation.
  • Search broker logs for malicious Jolokia calls. Look for HTTP POST requests to /api/jolokia containing addNetworkConnector or readConfiguration in the request body. These operations are not part of normal broker operation and are highly suspicious outside of explicitly documented administrative tooling.
  • Remediate CVE-2024-32114 concurrently. If CVE-2024-32114 has not already been addressed, apply that fix alongside CVE-2026-34197. The two vulnerabilities chain to produce significantly higher-impact exploitation than either alone — and both are addressed in the same patch release.