Federal patch deadline for 13-year-old Apache ActiveMQ flaw is Wednesday - 7,500+ servers still exposed online (CVE-2026-34197)

Federal agencies have until April 30 - this Wednesday - to patch Apache ActiveMQ servers against CVE-2026-34197, a remote code execution flaw that has been hiding in the open source message broker for 13 years. Shadowserver shows more than 7,500 ActiveMQ servers still exposed online and unpatched. The bug normally requires a login, but on ActiveMQ versions 6.0.0 through 6.1.1 a separate older flaw lets attackers skip the login step entirely - making this an unauthenticated remote takeover on those builds. The vulnerability was found using Anthropic's Claude AI assistant by a researcher at Horizon3.ai, who said the discovery was '80% Claude.'

Check

Inventory every Apache ActiveMQ server, including in subsidiary networks and old developer environments, and patch this week before the federal deadline.

Affected

Apache ActiveMQ Classic versions before 5.19.4 and 6.x versions before 6.2.3. CVSS 8.4. ActiveMQ 6.0.0 through 6.1.1 are at acute risk because a separate flaw (CVE-2024-32114) removes the login requirement entirely on those versions, making this an unauthenticated takeover. ActiveMQ Artemis is not affected.

Fix

Upgrade to ActiveMQ Classic 5.19.4 or 6.2.3 (ideally to 5.19.6 or 6.2.5). Change any default admin:admin credentials before exposing the broker again. Hunt broker logs for POSTs to /api/jolokia/ containing 'addNetworkConnector', for unexpected outbound HTTP from the Java process, and for unexpected child processes. Restrict the Jolokia API to internal networks only.