Back

Critical RCE Vulnerabilities Discovered in Apache ActiveMQ Management Interfaces

Severity: High (Score: 72.0)

Sources: cve.org, Cyfirma, Nvd.Nist

Published: 2026-06-01 · Updated: 2026-06-02

Keywords: apache, activemq, detail, improper, code, vulnerability, default

Severity indicators: vulnerability, CVE:CVE-2026-45505, CVE:CVE-2026-45505

Summary

CVE-2026-34197, a high-severity remote code execution vulnerability, affects Apache ActiveMQ Classic due to unsafe exposure of the Jolokia HTTP/JMX management interface. Attackers can exploit this flaw to execute arbitrary code by interacting with privileged broker operations. Additionally, CVE-2026-45505 and CVE-2026-49157 reveal further weaknesses in input validation and default permissions, respectively, allowing unauthorized access to management operations. These vulnerabilities impact versions of ActiveMQ prior to 5.19.7 and from 6.0.0 before 6.2.6. The vulnerabilities have been publicly disclosed, with the first proof of concept available shortly after CVE-2026-34197's publication. Given the critical role of ActiveMQ in enterprise environments, immediate remediation is essential to mitigate risks to application availability and operational continuity. Key Points: • CVE-2026-34197 allows remote code execution via the Jolokia management interface. • CVE-2026-45505 and CVE-2026-49157 expose further vulnerabilities in ActiveMQ's security. • Immediate upgrades to versions 5.19.7 or 6.2.6 are recommended to mitigate risks.

Detailed Analysis

**Impact** Enterprises using Apache ActiveMQ Classic, particularly versions before 5.19.7 and from 6.0.0 before 6.2.6, are affected globally across sectors relying on asynchronous communication between distributed applications and backend services. Exploitation can disrupt critical business system communications, impacting application availability and operational continuity. Unauthorized management operations risk compromising infrastructure integrity and may lead to service integration failures. No specific data breach or geographic impact details were provided. **Technical Details** Attackers exploit exposed Jolokia HTTP/JMX management interfaces to invoke privileged broker operations remotely, leveraging CVE-2026-34197 for RCE via crafted Spring XML application contexts. CVE-2026-45505 allows bypass of prior fixes through improper input validation in discovery URI wrappers, enabling code injection on the broker JVM. CVE-2026-49157 involves incorrect default Jolokia permissions granting low-privilege accounts unauthorized access to management functions like addQueue and removeQueue. Exploitation occurs at the execution and persistence stages of the kill chain. No specific malware or IOCs were mentioned. **Recommended Response** Apply Apache ActiveMQ patches 5.19.7 or 6.2.6 immediately to remediate all identified vulnerabilities. Restrict network exposure of Jolokia management interfaces and enforce strict access controls to prevent unauthorized operations. Monitor for unusual broker management activity, including unexpected addNetworkConnector or addQueue commands. No additional detection signatures or IOCs were provided.

Source articles (5)

  • CVE-2026-45505 Detail — Nvd.Nist · 2026-06-01
    Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. Non-parenthesized discovery wrappers…
  • CVE-2026-49157 Detail — Nvd.Nist · 2026-06-01
    Incorrect Default Permissions vulnerability in Apache ActiveMQ. This issue affects Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6. The default Jolokia authorization settings granted non-admin…
  • CVE-2026-34197 Jolokia Exposure Enables RCE in Apache ActiveMQ — Cyfirma · 2026-06-01
    CVE-2026-34197 is a high-severity remote code execution (RCE) vulnerability affecting Apache ActiveMQ Classic, a widely deployed open-source message broker used across enterprise environments for asyn…
  • CVE-2026-45505 — cve.org · 2026-06-01
  • CVE-2026-49157 — cve.org · 2026-06-01

Timeline

  • 2026-04-07 — CVE-2026-34197 published: A remote code execution vulnerability in Apache ActiveMQ due to Jolokia interface exposure was disclosed.
  • 2026-04-08 — First public PoC for CVE-2026-34197: The first proof of concept demonstrating the exploit path for CVE-2026-34197 was released.
  • 2026-04-16 — CVE-2026-34197 added to CISA KEV: CISA included CVE-2026-34197 in its Known Exploited Vulnerabilities catalog due to active exploitation.
  • 2026-06-01 — CVE-2026-45505 and CVE-2026-49157 published: Two additional vulnerabilities in Apache ActiveMQ were disclosed, affecting versions before 5.19.7 and from 6.0.0 before 6.2.6.
  • 2026-06-01 — Recommendations issued for ActiveMQ upgrades: Users are advised to upgrade to versions 5.19.7 or 6.2.6 to address the vulnerabilities.

CVEs

  • CVE-2026-34197
  • CVE-2026-45505
  • CVE-2026-49157

Related entities

  • Zero-day Exploit (Attack Type)
  • Code Injection (Attack Type)
  • CWE-269 - Improper Privilege Management (Cwe)
  • CWE-287 - Improper Authentication (Cwe)
  • CWE-862 - Missing Authorization (Cwe)
  • CWE-94 - Code Injection (Cwe)
  • T1059 - Command and Scripting Interpreter (Mitre Attack)
  • Apache ActiveMQ (Platform)
  • Apache ActiveMQ Classic (Platform)
  • Kali Linux (Platform)
  • Jolokia (Tool)
  • Ubuntu (Company)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed