🔴 CVE-2026-34197

Critical remote code execution vulnerability in Apache ActiveMQ through the Jolokia JMX-HTTP bridge exposed on web console. Authenticated attackers can exploit crafted discovery URIs to trigger remote Spring XML loading, leading to arbitrary code execution via bean factory methods.

← Back to Overview
HIGH_RISK
Risk Level
8.8
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 — Exploit Public-Facing Application
ATT&CK Technique
HIGH
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2026-04-07

Added to CISA KEV: 2026-04-16 9 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-04-16)

CVE-2026-34197 is a critical vulnerability that allows for remote code execution (RCE) in Apache ActiveMQ [4][6].

Here's a breakdown of what is known about its exploitation:

  • Internet-Facing Applications/Services: The vulnerability affects ActiveMQ, which can be deployed in internet-facing scenarios. Exploitation requires network access to the broker and valid authentication [1].
  • Evidence of Active Exploitation: While the EPSS score suggests a low probability of exploitation in the wild [1], CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation [5]. However, CVE-2026-34197 is not currently listed in the CISA KEV catalog [1].
  • Attack Vectors and Exploitation Methods:
* Attackers can exploit this vulnerability by invoking operations with a crafted discovery URI that triggers the VM transport's `brokerConfig` parameter to load a remote Spring XML application context [2]. * This process uses `ResourceXmlApplicationContext`, which instantiates all singleton beans before configuration validation. This allows for arbitrary code execution on the broker's JVM through bean factory methods like `Runtime.exec()` [2]. * The vulnerability can be exploited via the Jolokia API [4][6]. * It has been noted that when chained with CVE-2024-32114, it can lead to unauthenticated RCE on certain versions [7].
  • Targeted Attacks: The vulnerability enables attackers to execute unauthorized operating system commands, which could be used to disable the product, or read and modify data [3]. This capability suggests it could be used in targeted attacks to compromise specific systems or data.
  • CISA Known Exploited Vulnerabilities (KEV) Status: As of the latest information, CVE-2026-34197 is not listed in the CISA KEV catalog [1]. CISA maintains this catalog to highlight vulnerabilities that have been actively exploited in the wild [8].
  • Technical Details about Internet Exploitability: The vulnerability allows for remote code execution once an attacker has broker credentials [1]. The exploitation involves manipulating the `brokerConfig` parameter to load a remote Spring XML application context, leading to code execution on the broker's JVM [2]. The Jolokia API is a key component in the exploitation process [4][6].

Sources

  1. CVE-2026-34197 - Vulnerability Details - OpenCVE

    The vulnerability scores 8.8 on CVSS, indicating high severity. The EPSS score is below 1 %, suggesting a low probability of exploitation in the wild, and it is not listed in the CISA KEV catalog. Nevertheless, because it enables remote code execution once an attacker has broker credentials, the ris…

  2. NVD - CVE-2026-34197

    CVE-2026-34197 Detail.An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instant…

  3. CVE-2026-34197 - Red Hat Customer Portal

    Attackers could execute unauthorized operating system commands, which could then be used to disable the product, or read and modify data for ...

  4. CISA Adds Two Known Exploited Vulnerabilities to Catalog

    CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

  5. CVE-2026-34197 ActiveMQ RCE via Jolokia API | Horizon3.ai

    CVE-2026-34197 is an ActiveMQ RCE flaw exploiting Jolokia to execute remote commands. Learn how it works, affected versions, and detection steps.

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed