Ddos 
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent directive after adding a high-severity vulnerability in Apache ActiveMQ to its Known Exploited Vulnerabilities (KEV) Catalog. The flaw, tracked as CVE-2026-34197, carries a CVSS score of 8.8 and is currently being weaponized by malicious actors to achieve remote code execution (RCE) on affected message brokers.
The vulnerability is rooted in an improper input validation and code injection flaw within the Jolokia JMX-HTTP bridge, which is exposed by default at the /api/jolokia/ endpoint on the ActiveMQ web console.
Under standard configurations, the Jolokia access policy is overly permissive, allowing authenticated attackers to invoke exec operations on all ActiveMQ MBeans. Specifically, attackers can target the following operations:
- BrokerService.addNetworkConnector(String)
- BrokerService.addConnector(String)
By invoking these with a crafted discovery URI, an attacker can force the system to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring instantiates all singleton beans before the broker can validate the configuration, the attacker can trigger arbitrary code execution on the broker’s JVM through bean factory methods like Runtime.exec().
This issue affects:
| Product | Vulnerable Versions | Fixed Release |
| Apache ActiveMQ Broker | Before 5.19.4 |
5.19.4 |
| Apache ActiveMQ Broker | 6.0.0 to 6.2.2 |
6.2.3 |
| Apache ActiveMQ (All) | Before 5.19.4 |
5.19.4 |
| Apache ActiveMQ (All) | 6.0.0 to 6.2.2 |
6.2.3 |
Due to the significant risk this poses to the federal enterprise, agencies have been ordered to remediate the flaw by April 30, 2026.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
