CVE-2026-34197: 13-Year-Old Apache ActiveMQ RCE via Jolokia API Surfaces for In-the-Wild Attacks

Apache ActiveMQ Classic has a 13-year-old RCE vulnerability (CVE-2026-34197) in the Jolokia API that is actively exploited in the wild. Attackers chain vm:// URIs with remote Spring XML configs to execute arbitrary code as the broker process. Any organization running ActiveMQ Classic without the April 30 patch deadline is at immediate risk.

CRITICALAdvisoryApr 20, 2026

Action required

Identify all ActiveMQ Classic instances in your environment and patch to the latest version immediately. If patching is not possible by April 30, isolate affected systems or disable the Jolokia API endpoint.

Affected products

Apache ActiveMQ ClassicJolokia APIApache Software FoundationHorizon3.aiCISA

CVE IDs

CVE-2026-34197

Linked articles

CVE-2026-34197: 13-Year-Old Apache ActiveMQ RCE via Jolokia API Surfaces for In-the-Wild Attacks

Source links

https://darkwebinformer.com/cve-2026-34197-13-year-old-apache-activemq-rce-via-jolokia-api-surfaces-for-in-the-wild-attacks/