Code Injection Vulnerability in Apache ActiveMQ Broker Up to Version 6.2.2
CVE-2026-34197

Currently unrated

Key Information:

Vendor: Apache
Status: Apache ActiveMQ Broker; Apache ActiveMQ
Vendor: CVE Published:; 7 April 2026

What is CVE-2026-34197?

Apache ActiveMQ Broker is prone to a code injection vulnerability due to improper input validation in the Jolokia JMX-HTTP bridge. By default, this bridge exposes a web console that allows the execution of operations on all ActiveMQ MBeans. An authenticated attacker can exploit this vulnerability by providing a malicious discovery URI, leading the broker's JVM to load an arbitrary Spring XML application context, potentially resulting in arbitrary code execution through methods such as Runtime.exec(). This security issue affects multiple versions of Apache ActiveMQ, making it essential for users to upgrade to the patched versions of 5.19.5 or 6.2.3 to mitigate the risks.

Affected Version(s)

Apache ActiveMQ 0 < 5.19.4

Apache ActiveMQ 6.0.0 < 6.2.3

Apache ActiveMQ Broker 0 < 5.19.4

References

https://activemq.apache.org/security-advisories.data/CVE-...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Mar 26, 2026

Credit

Naveen Sunkavally (Horizon3.ai)

CVE-2026-34197 Data

JSON