Apache ActiveMQ CVE-2026-34197: Critical vulnerability in the KEV catalog - SecNews.gr

Home Security Apache ActiveMQ CVE-2026-34197: Critical vulnerability in the KEV catalog Security Apache ActiveMQ CVE-2026-34197: Critical vulnerability in the KEV catalog By Absenta Mia April 17, 2026, 12:07 Facebook Twitter WhatsApp LinkedIn E-mail Viber Copy URL Apache ActiveMQ is at the center of a new cyber threat, as critical vulnerability CVE-2026-34197 has been added to CISA ’s Known Exploited Vulnerabilities (KEV) , following confirmed online attacks. The vulnerability affects the popular open-source message broker and allows arbitrary code execution on vulnerable installations. The fact that the vulnerability remained hidden for over a decade highlights the challenges the cybersecurity community faces in identifying legacy code with security issues. See also: Apache ActiveMQ: Critical vulnerability allows arbitrary code execution CISA announced the addition of CVE-2026-34197 with a CVSS score of 8.8 to its list, requiring federal agencies to implement the necessary fixes by April 30, 2026. The CISA ’s decision to include the vulnerability KEV list reflects the immediate threat it poses to critical infrastructure and the need for a coordinated national response. According to researcher Naveen Sunkavally from Horizon3.ai , CVE-2026-34197 has been “hiding in plain sight” for 13 years . It was discovered with the help of Anthropic ’s AI Claude during bug hunting activities in early 2026. An attacker can call a management function via ActiveMQ ’s Jolokia API to trick the broker into loading a remote configuration file and executing arbitrary commands. The fact that the vulnerability was discovered with the help of artificial intelligence highlights the new possibilities that AI tools offer in the field of cybersecurity, both for defensive and offensive purposes. The vulnerability requires access credentials, but the default admin:admin are common in many production environments that are not properly configured. In some versions ( 6.0.0–6.1.1 ), no credentials are required at all due to another vulnerability, CVE-2024-32114 , which exposes the Jolokia API without authentication. In these versions, CVE-2026-34197 is essentially an unauthenticated RCE (Remote Code Execution), making it extremely easy for any attacker with network access to exploit. The combined effect of these two vulnerabilities creates a particularly dangerous scenario for organizations that have not updated their systems. The vulnerability affects the following versions of Apache ActiveMQ : ActiveMQ Broker before version 5.19.4 , versions 6.0.0 before 6.2.3 ActiveMQ-all in the corresponding versions. Users are advised to immediately upgrade to version 5.19.4 or 6.2.3 , which fix the issue. The Apache Software Foundation released the fixes in late March 2026 , reacting quickly to the vulnerability being reported by the research team. The technical exploitation of the vulnerability involves sending HTTP POST requests to the endpoint /api/jolokia/ (default port 8161 ). The attacker targets sensitive MBean functions such as BrokerService.addNetworkConnector(String) or BrokerService.addConnector(String) with crafted URIs that load remote Spring XML contexts, leading to arbitrary code execution. The Jolokia framework, which provides JMX-HTTP bridge functionality, has permissive policies by default that allow execution of all org.apache.activemq:* MBeans , creating a wide attack surface. See also: NukeSped Malware Exploits Apache ActiveMQ Vulnerability SAFE Security revealed in a recent report that threat actors are actively targeting exposed Jolokia management endpoints Apache ActiveMQ Classic installations . The findings demonstrate once again that exploitation timelines continue to shrink as attackers exploit newly discovered vulnerabilities at an alarmingly faster rate. FortiGuard Labs also reported detection of attack attempts via IPS signatures for code injection in ActiveMQ , indicating that malicious actors began scanning for vulnerable systems immediately after the vulnerability was disclosed. Apache ActiveMQ has been a popular target for attacks, with flaws in the open-source message broker being repeatedly exploited in various malware campaigns since 2021. In August 2025 , a critical vulnerability in ActiveMQ ( CVE-2023-46604 , CVSS score: 10.0 ) was used by unknown attackers to install Linux malware called DripDropper . This history makes ActiveMQ a high-priority target for attackers, who know that many corporate installations may not have been updated in a timely manner. Practical protection tips and protective measures Apache ActiveMQ 's role in enterprise messaging and data pipelines, exposed management interfaces pose a high risk of impact, potentially allowing data exfiltration, service disruption, or lateral network traffic. Organizations should check all installations for externally accessible Jolokia endpoints , restrict access to trusted networks, enforce strong authentication, and disable Jolokia where not required. Additionally, it is recommended to implement Web Application Firewalls (WAFs) that can detect and block malicious requests to the Jolokia API . System administrators should also implement continuous monitoring of logs for signs of compromise, such as abnormal addNetworkConnector , unexpected Spring XML , or suspicious activity on port 8161. Using vulnerability scanning tools that can detect vulnerable ActiveMQ on the network is also critical to proactively address such threats. Finally, implementing the principle of least privilege in ActiveMQ can significantly reduce the attack surface. See also: “Hello Kitty” Ransomware: Exploited Vulnerability in Open Source Apache ActiveMQ The addition of CVE-2026-34197 CISA KEV list underscores the severity of the threat and the need for immediate action by all organizations using Apache ActiveMQ . Federal agencies have until , 2026 to implement the fixes, while all organizations are advised to immediately proceed with security updates and implement additional protections to minimize the risk of exploitation. Follow us on Google News and be the first to know about all the news. Tags Apache ActiveMQ cisa kev CVE-2026-34197 Jolokia API race vulnerabilities Cybersecurity RELATED ARTICLES Security ShowDoc: Critical RCE vulnerability actively exploited Absenta Mia - April 14, 2026, 10:08 Security Claude discovered an ActiveMQ bug in a few minutes Digital Fortress - April 10, 2026, 3:30 PM Security Flowise AI Platform: Critical vulnerability under active exploitation Absenta Mia - April 7, 2026, 11:41 Previous article RedSun Zero-Day: New Microsoft Defender Vulnerability Next article Operation PowerOFF: Seizure of 53 DDoS Domains and 3 million accounts Absentee Miahttps://www.secnews.gr Being your self, in a world that constantly tries to change you, is your greatest achievement SEARCH Search FOLLOW US Viber SUBSCRIBE NEWSLETTER LIVE NEWS Mercedes-Benz: New EQS with 926 km range and steer-by-wire 4 days ago PHANTOMPULSE RAT: New Malware Exploits Obsidian Plugins 2 days ago Apple Music: Outage makes service unavailable 1 day ago Amazon will abandon Android on future Fire TV Sticks 1 day ago Daniel Moreno-Gama charged with assaulting Sam Altman 4 days ago UAC-0247: New cyberattack targets Ukrainian clinics 2 days ago Top 10 signs that your phone is infected with malware 5 days ago