Do Son 
Apache ActiveMQ, the widely used open-source message broker, has released critical security updates to address two vulnerabilities that could allow attackers to execute arbitrary code or access restricted files. The more severe of the two flaws exploits a classic “Spring” injection technique, enabling authenticated attackers to seize full control of the broker’s Java Virtual Machine (JVM).
The most significant threat is a high-severity Remote Code Execution (RCE) vulnerability found in the ActiveMQ Classic web console. The flaw, tracked as CVE-2026-34197, centers on the Jolokia JMX-HTTP bridge, a component that allows JMX (Java Management Extensions) operations to be triggered over HTTP.
Researchers discovered that the default Jolokia access policy was overly permissive, allowing “exec” operations on all ActiveMQ MBeans. An attacker can exploit this by invoking specific broker services with a “crafted discovery URI.”
The Attack Chain:
- An authenticated attacker uses the Jolokia bridge to trigger the addNetworkConnector or addConnector operations.
- The malicious URI forces the broker to load a remote Spring XML application context.
- Because of how Spring handles these contexts, it instantiates all “singleton beans” before the broker even validates the configuration.
- By placing malicious bean factory methods—such as Runtime.exec()—inside the remote XML, the attacker achieves arbitrary code execution on the server.
The second vulnerability, tracked as CVE-2026-33227, is a lower-severity Path Traversal flaw affecting the ActiveMQ Client, Broker, and Web components. This issue stems from the “Improper Limitation of a Pathname to a Restricted Directory.”
While categorized as low severity, this type of flaw typically allows an attacker to move outside of intended directory boundaries to read sensitive configuration files or system logs. In the context of a message broker, this could lead to the exposure of internal credentials or network architecture details that could be used to facilitate a more complex secondary attack.
The vulnerabilities impact both the 5.x and 6.x branches of Apache ActiveMQ. Organizations are urged to check their current deployments against the following list:
For the RCE (CVE-2026-34197):
- Affected: ActiveMQ Broker/Classic versions before 5.19.4 and 6.0.0 before 6.2.3.
- Fixed In: Users should upgrade to 5.19.5 or 6.2.3 immediately.
For the Path Traversal (CVE-2026-33227):
- Affected: ActiveMQ Client, Broker, and Web versions before 5.19.3 and 6.0.0 before 6.2.2.
- Fixed In: Users should upgrade to 5.19.4 or 6.2.2 or later.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
