Overview
CVE-2026-34197, a remote code execution vulnerability in Apache ActiveMQ, is under active exploitation following its public disclosure in early April 2026. CISA added the flaw to its Known Exploited Vulnerabilities (KEV) catalog on April 17, 2026, mandating that Federal Civilian Executive Branch (FCEB) agencies patch affected systems by April 30, 2026.
The vulnerability has existed in the ActiveMQ codebase for 13 years before its discovery and exploits the Jolokia management API — a Java Management Extensions (JMX) bridge commonly exposed in default ActiveMQ deployments.
Technical Details
CVE-2026-34197 is an improper input validation and code injection flaw in Apache ActiveMQ Classic. The attack vector targets the Jolokia API endpoint, which exposes JMX management operations over HTTP.
Exploitation mechanism:
- Attacker identifies a publicly accessible Jolokia endpoint on an ActiveMQ instance
- Attacker invokes a management operation to trick the broker into fetching a remote configuration file
- The broker processes the malicious configuration, resulting in arbitrary operating system command execution on the host
While authentication is normally required to reach Jolokia management endpoints, default credentials (admin:admin) are widely present in production deployments, and CVE-2024-32114 (affecting versions 6.0.0–6.1.1) removes authentication requirements entirely, making those versions trivially exploitable with no credential requirement.
Active Exploitation
Telemetry data from Fortinet FortiGuard Labs documented dozens of exploitation attempts against exposed Jolokia endpoints, with activity peaking on April 14, 2026 — three days before CISA's KEV addition. Threat actors are actively scanning for:
- Exposed Jolokia API endpoints (
/api/jolokia/or/jolokia/) - Instances running default admin credentials
- Versions affected by CVE-2024-32114 (unauthenticated access)
The combination of a long-resident vulnerability, widespread default credentials, and a well-understood exploitation path makes this a high-priority target for automated scanning and opportunistic exploitation.
Affected Versions
| Component | Affected |
|---|---|
| Apache ActiveMQ Classic | All versions prior to 5.19.4 and 6.2.3 |
| Apache ActiveMQ 6.0.0–6.1.1 | Also affected by CVE-2024-32114 (no auth required) |
Remediation
Upgrade immediately to a fixed version:
- Apache ActiveMQ Classic 6.2.3 or later
- Apache ActiveMQ Classic 5.19.4 or later
Additional mitigations:
- Disable or restrict Jolokia endpoints — if the Jolokia management API is not required, disable it or restrict access to trusted management networks only
- Change default credentials — immediately replace default
admin:admincredentials on all ActiveMQ instances - Network segmentation — ensure ActiveMQ management interfaces are not exposed to the public internet
- Audit exposed instances — use internal scanning to identify all ActiveMQ deployments and verify patch status
- Monitor for exploitation — watch for unusual HTTP requests to
/jolokia/endpoints and unexpected outbound connections from ActiveMQ hosts
CISA KEV Mandate
CISA's addition of CVE-2026-34197 to the Known Exploited Vulnerabilities catalog carries a federal patching mandate:
| Agency Type | Deadline |
|---|---|
| Federal Civilian Executive Branch | April 30, 2026 |
Non-federal organizations should treat this timeline as a target given active exploitation in the wild.