Code Injection Vulnerability in Apache ActiveMQ Broker Up to Version 6.2.2
CVE-2026-34197
Key Information:
- Vendor
Apache
- Vendor
- CVE Published:
- 7 April 2026
Badges
What is CVE-2026-34197?
CVE-2026-34197 is a critical code injection vulnerability discovered in Apache ActiveMQ Broker versions up to 6.2.2. Apache ActiveMQ is a widely used open-source message broker that facilitates communication between applications in a distributed network. This vulnerability arises from improper input validation and control over code execution within the broker environment. Specifically, the Jolokia JMX-HTTP bridge, which is exposed on the web console, allows authenticated users to perform operations that can manipulate the broker's configuration. By crafting a malicious discovery URI, an attacker can exploit this vulnerability to execute arbitrary code on the JVM of the broker. This poses a significant threat as it can lead to unauthorized access, data manipulation, and potentially allow an attacker to take complete control of the affected system.
Potential impact of CVE-2026-34197
-
Arbitrary Code Execution: The vulnerability enables authenticated attackers to execute arbitrary code on the server, which can lead to severe compromise of the system's integrity and confidentiality.
-
Configuration Manipulation: Attackers can exploit the vulnerability to manipulate broker configurations, which may disrupt normal operations and lead to service downtime or data loss.
-
Potential for Further Exploitation: Successful exploitation of this vulnerability can serve as a foothold for attackers to launch further attacks within the organization's network, leading to more extensive breaches and potential ransomware deployments.
CISA has reported CVE-2026-34197
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2026-34197 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.
The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Affected Version(s)
Apache ActiveMQ 0 < 5.19.4
Apache ActiveMQ 6.0.0 < 6.2.3
Apache ActiveMQ All 0 < 5.19.4
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
It Security NewsCVE-2026-341976000+ Apache ActiveMQ Instances Vulnerable to CVE-2026-34197 Exposed Online - IT Security News
More than 6,000 internet-exposed Apache ActiveMQ instances are still vulnerable to CVE-2026-34197. This newly tracked security flaw has now been added to the U.S. Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities (KEV) catalog. The exposure data comes from The Shadow...
1 week ago
Actively exploited Apache ActiveMQ flaw impacts 6,400 servers
Nonprofit security organization Shadowserver found that over 6,400 Apache ActiveMQ servers exposed online are vulnerable to ongoing attacks exploiting a high-severity code injection vulnerability.
1 week ago
References
EPSS Score
65% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 🦅
CISA Reported
- 📈
Vulnerability started trending
- 💰
Used in Ransomware
- 🟡
Public PoC available
- 👾
Exploit known to exist
- 📰
First article discovered by BleepingComputer
Vulnerability published
Vulnerability Reserved