RCE Bug Lurked in Apache ActiveMQ Classic for 13 Years

Summary

A remote code execution vulnerability (CVE-2026-34197) discovered in Apache ActiveMQ Classic has existed for 13 years and can be exploited by chaining it with an older authentication bypass flaw (CVE-2022-41678) or an unauthenticated Jolokia API exposure (CVE-2024-32114). The attack allows attackers to invoke management operations through Jolokia, retrieve remote configuration files, and execute OS commands. Patches have been released for ActiveMQ Classic versions 5.19.4 and 6.2.3.

Full text

A remote code execution (RCE) vulnerability that lurked in Apache ActiveMQ Classic for 13 years could be chained with an older flaw to bypass authentication, Horizon3.ai reports. An open source messaging and Integration Patterns server, Apache ActiveMQ acts as a middleware broker that handles message queues and is widely used across numerous industries. ActiveMQ Classic is the original version of the broker. Tracked as CVE-2026-34197, the newly identified bug allows attackers to invoke management operations through the Jolokia API and entice the broker to retrieve a remote configuration file and execute OS commands. According to Horizon3.ai, the security defect is a bypass for CVE-2022-41678, a bug that allows attackers to write webshells to disk by invoking specific JDK MBeans. The fix, the cybersecurity firm explains, added a flag allowing for all operations on every ActiveMQ MBeans to be callable through Jolokia. The code execution issue was identified in an operation that sets up broker-to-broker bridges at runtime. The bug’s exploitation, however, also requires targeting ActiveMQ’s VM transport feature, which was designed for embedding a broker inside an application. This results in the client and broker communicating directly within the same JVM.Advertisement. Scroll to continue reading. If a VM transport URI references an inexistent broker, ActiveMQ creates one and accepts a parameter instructing it to load a configuration that could include attacker-supplied URLs. By chaining the two mechanisms, an attacker could trick the broker into retrieving and running a Spring XML configuration file that “instantiates all bean definitions, resulting in remote code execution,” Horizon3.ai says. The cybersecurity firm also notes that, on some deployments, RCE could be achieved without authentication by exploiting CVE-2024-32114, which exposes the Jolokia API to unauthenticated users. “CVE-2024-32114 is a separate vulnerability in ActiveMQ 6.x where the /api/* path, which includes the Jolokia endpoint, was inadvertently removed from the web console’s security constraints. This means Jolokia is completely unauthenticated on ActiveMQ versions 6.0.0 through 6.1.1,” Horizon3.ai explains. The newly discovered security defect was addressed in ActiveMQ Classic versions 5.19.4 and 6.2.3. Users are advised to update their deployments as soon as possible. Related: Hackers Targeting Ninja Forms Vulnerability That Exposes WordPress Sites to Takeover Related: Anthropic Unveils ‘Claude Mythos’ – A Cybersecurity Breakthrough That Could Also Supercharge Attacks Related: Critical Flowise Vulnerability in Attacker Crosshairs Related: Severe StrongBox Vulnerability Patched in Android Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Trent AI Emerges From Stealth With $13 Million in FundingCritical Flowise Vulnerability in Attacker CrosshairsGrafanaGhost: Attackers Can Abuse Grafana to Leak Enterprise DataMedusa Ransomware Fast to Exploit Vulnerabilities, Breached SystemsGerman Police Unmask REvil Ransomware LeaderGoogle DeepMind Researchers Map Web Attacks Against AI AgentsGuardarian Users Targeted With Malicious Strapi NPM PackagesNorth Korean Hackers Target High-Profile Node.js Maintainers Latest News Data Leakage Vulnerability Patched in OpenSSLFBI: Cybercrime Losses Neared $21 Billion in 2025Massachusetts Hospital Diverts Ambulances as Cyberattack Causes Disruption Evasive Masjesu DDoS Botnet Targets IoT DevicesHackers Targeting Ninja Forms Vulnerability That Exposes WordPress Sites to TakeoverUS Disrupts Russian Espionage Operation Involving Hacked Routers and DNS HijackingIran-Linked Hackers Disrupt US Critical Infrastructure via PLC AttacksAnthropic Unveils ‘Claude Mythos’ – A Cybersecurity Breakthrough That Could Also Supercharge Attacks Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MovePamela McLeod has been named as CISO of the state of New Hampshire.Aspen Digital has named Matt Altomare as its new Senior Director for Cybersecurity Programs.Scott Goree has been appointed Senior Vice President of Channel and Alliances at Delinea.More People On The MoveExpert Insights The New Rules of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2026-34197
• cve — CVE-2022-41678
• cve — CVE-2024-32114

Entities