Apache ActiveMQ CVE-2026-34197 Added to CISA KEV During Active Exploitation
A newly disclosed critical security flaw in Apache ActiveMQ Classic has come under active exploitation in the wild, according to the Cybersecurity and Infrastructure Security Agency (CISA) of the US.
To that, the agency added vulnerability, followed by CVE-2026-34197 (CVSS score: 8.8), in its catalog known as Known Exploited Vulnerabilities (KEV), which requires the Federal Civilian Executive Branch (FCEB) to apply a fix by April 30, 2026.
CVE-2026-34197 is described as an invalid input validation issue that could lead to code injection, which effectively allows an attacker to execute arbitrary code in a vulnerable installation. According to Horizon3.ai’s Naveen Sunkavally, CVE-2026-34197 has been “hidden in plain sight” for 13 years.
“An attacker can request an administrative function through ActiveMQ’s Jolokia API to trick the vendor into downloading a remote configuration file and executing arbitrary OS commands,” Sunkavally added.
“The vulnerability requires credentials, but default credentials (admin:admin) are common in most environments. In some versions (6.0.0–6.1.1), no credentials are required due to another vulnerability, CVE-2024-32114, which indirectly exposes the authesantication, API. CVE-2026-34197 is an unauthorized RCE.”
The vulnerability affects the following versions –
- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) before 5.19.4
- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 6.0.0 before 6.2.3
- Apache ActiveMQ (org.apache.activemq:activemq-all) before 5.19.4
- Apache ActiveMQ (org.apache.activemq:activemq-all) 6.0.0 before 6.2.3
Users are advised to upgrade to version 5.19.4 or 6.2.3, which addresses the issue. There are currently no details on how CVE-2026-34197 is being exploited in the wild, but SAFE Security, in a report published this week, revealed that threat actors are targeting Jolokia endpoints using Apache ActiveMQ Classic.
The findings also show that exploit timelines continue to deteriorate as attackers attack newly disclosed vulnerabilities at an alarmingly rapid rate and breach systems before they are patched.
Apache ActiveMQ is a popular target for attacks, with flaws in the open source message broker repeatedly exploited in various malware campaigns since 2021. In August 2025, a critical vulnerability in ActiveMQ (CVE-2023-46604, CVSS score: 10.0) was exploited by unknown Linux malware.
“Given ActiveMQ’s role in messaging and business data, exposed management interfaces present a significant vulnerability, with the potential to allow data exfiltration, service disruption, or coordinated movement,” SAFE Security said. “Organizations should audit all deployments of externally accessible Jolokia endpoints, restrict access to trusted networks, enforce strong authentication, and block Jolokia where it is not needed.”
