Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from Vendor (apache).
CVSS VectorVendor: apache
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
10Blast Radius
ecosystem impact- 6 maven packages depend on org.apache.activemq:activemq-all (3 direct, 3 indirect)
- 21 maven packages depend on org.apache.activemq:activemq-broker (14 direct, 7 indirect)
Ecosystem-wide dependent count for version 6.0.0 and other introduced versions.
DescriptionCVE.org
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ.
An authenticated attacker may bypass the fix in CVE-2026-34197 by adding a connector using an HTTP Discovery transport via BrokerView.addNetworkConnector or BrokerView.addConnector through Jolokia if the activemq-http module is on the classpath. A malicious HTTP endpoint can return a VM transport through the HTTP URI which will bypass the validation added in CVE-2026-34197. The attacker can then use the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec().
This issue affects Apache ActiveMQ Broker: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ All: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5.
Users are recommended to upgrade to version 5.19.6 or 6.2.5, which fixes the issue.
Articles & Coverage 1
AnalysisAI
Remote code execution in Apache ActiveMQ 5.x (before 5.19.6) and 6.x (before 6.2.5) allows authenticated attackers to bypass prior security fixes (CVE-2026-34197) by injecting malicious Spring XML configurations through HTTP Discovery transport connectors via Jolokia. Attackers leverage a VM transport loophole to invoke arbitrary bean factory methods like Runtime.exec() during Spring context initialization. EPSS score is low (0.06%, 19th percentile) with no confirmed active exploitation (not in CISA KEV), suggesting limited widespread targeting despite high CVSS 8.8 score. Exploitation requires authenticated Jolokia access and presence of activemq-http module on classpath.
Technical ContextAI
Apache ActiveMQ is a Java-based message broker implementing JMS (Java Message Service). This vulnerability exploits two underlying technologies: Jolokia (HTTP/JSON bridge for JMX) and Spring Framework's ResourceXmlApplicationContext. The attack chain leverages ActiveMQ's connector management through BrokerView MBeans accessible via Jolokia. When activemq-http module is present, the HTTP Discovery transport protocol accepts remote URIs that can redirect to VM transports. The VM transport's brokerConfig parameter historically allowed loading arbitrary Spring XML contexts. The root cause (CWE-20: Improper Input Validation) stems from insufficient validation of HTTP Discovery responses that return VM transport URIs, bypassing the incomplete fix in CVE-2026-34197. Spring's ResourceXmlApplicationContext eagerly instantiates singleton beans before ActiveMQ validates broker configuration, enabling attackers to execute arbitrary code through bean definitions specifying Runtime.getRuntime().exec() or similar factory methods. The CPE strings confirm all three distribution packages (activemq, activemq-broker, activemq-all) are vulnerable across versions 5.x (<5.19.6) and 6.x (<6.2.5).
RemediationAI
Upgrade immediately to Apache ActiveMQ 5.19.6 (for 5.x deployments) or 6.2.5 (for 6.x deployments) per vendor advisory at https://activemq.apache.org/security-advisories.data/CVE-2026-34197-announcement.txt. For environments where immediate patching is not feasible, apply these compensating controls with noted limitations: (1) Remove activemq-http JAR from broker classpath - eliminates HTTP Discovery transport capability but breaks legitimate HTTP-based network connectors; confirm no production configurations depend on HTTP transport before implementing. (2) Disable Jolokia endpoint entirely by removing jolokia-core JAR or blocking HTTP access to /api/jolokia/* paths at reverse proxy/firewall layer - prevents management via Jolokia but may break monitoring tools relying on JMX-over-HTTP. (3) Restrict Jolokia authentication to trusted administrator accounts only and audit BrokerView.addNetworkConnector/addConnector invocations - reduces attack surface but does not prevent exploitation by compromised admin credentials. (4) Deploy network segmentation to prevent broker JVM from initiating outbound HTTP connections to attacker-controlled endpoints - blocks malicious HTTP Discovery responses but may interfere with legitimate external integrations. All workarounds carry operational trade-offs; vendor patching is the only complete remediation.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same weakness CWE-20 – Improper Input Validation
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25410
GHSA-w3w2-mpp5-92gm