Description
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ.

Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including
BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String).

An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext.
Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec().



This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ All: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.3.



Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue
Published: 2026-04-07
Score: 8.8 High
EPSS: 65.1% High
KEV: Yes
Impact: Remote Code Execution
Action: Patch Now
AI Analysis

Impact

Apache ActiveMQ Classic includes a Jolokia JMX‑HTTP bridge at /api/jolokia/ that by default permits exec operations on all ActiveMQ MBeans. An authenticated attacker can craft a request to trigger the VM transport’s brokerConfig parameter to load a remote Spring XML application context via ResourceXmlApplicationContext. Because Spring instantiates all singleton beans before broker configuration validation, the broker JVM can execute arbitrary code through bean factory methods such as Runtime.exec(). This is a classic code injection flaw that falls under Improper Input Validation (CWE‑20), Improper Control of Generation of Code (CWE‑94), and System Interface Use with Untrusted Input (CWE‑78). The effect is remote code execution on the broker’s JVM.

Affected Systems

The flaw affects Apache ActiveMQ Broker, Apache ActiveMQ All, and Apache ActiveMQ Classic. Versions earlier than 5.19.4 and all releases from 6.0.0 up to but not including 6.2.3 are affected. All of these products expose the vulnerable Jolokia interface and therefore allow the described exploitation path.

Risk and Exploitability

The vulnerability scores 8.8 on CVSS, indicating high severity. The EPSS score is 63 %, indicating a high probability of exploitation in the wild, and it is listed in the CISA KEV catalog, indicating that the vulnerability is known to be exploited in the field. Nevertheless, because it enables remote code execution once an attacker has broker credentials, the risk remains significant. Exploitation requires network access to the broker, valid authentication, and the ability to send the crafted request, after which arbitrary code runs with the broker process’s privileges.

Generated by OpenCVE AI on April 28, 2026 at 08:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache ActiveMQ to version 5.19.4 or 6.2.3, which contain the fix.
  • Restrict the Jolokia policy to disallow exec operations on all MBeans and permit only the minimal set of needed operations.
  • If the broker does not require external JMX access, disable the Jolokia JMX‑HTTP bridge or firewall it so only trusted IPs can reach /api/jolokia/.
  • As an additional precaution, review and tighten broker authentication credentials to limit the number of users with management privileges.

Generated by OpenCVE AI on April 28, 2026 at 08:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rxpj-7qvf-xv32 Authenticated Apache ActiveMQ Broker and Apache ActiveMQ users could perform RCE via Jolokia MBeans
History

Thu, 16 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache activemq Broker
CPEs cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq_broker:*:*:*:*:*:*:*:*
Vendors & Products Apache activemq Broker

Thu, 16 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Metrics kev

{'dateAdded': '2026-04-16T00:00:00+00:00', 'dueDate': '2026-04-30T00:00:00+00:00'}

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache activemq
Vendors & Products Apache
Apache activemq

Wed, 08 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Description Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: . Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue. Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ All: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.3. Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue
Title Apache ActiveMQ Broker, Apache ActiveMQ: Authenticated users could perform RCE via Jolokia MBeans Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Authenticated users could perform RCE via Jolokia MBeans

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: . Users are recommended to upgrade to version 5.19.5 or 6.2.3, which fixes the issue. Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: . Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue.

Wed, 08 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-78
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 09:30:00 +0000

Type Values Removed Values Added
References

Tue, 07 Apr 2026 08:15:00 +0000

Type Values Removed Values Added
Description Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: . Users are recommended to upgrade to version 5.19.5 or 6.2.3, which fixes the issue.
Title Apache ActiveMQ Broker, Apache ActiveMQ: Authenticated users could perform RCE via Jolokia MBeans
Weaknesses CWE-20
CWE-94
References

Subscriptions

Apache Activemq Activemq Broker
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-17T03:55:12.349Z

Reserved: 2026-03-26T14:51:21.456Z

Link: CVE-2026-34197

cve-icon Vulnrichment

Updated: 2026-04-07T08:29:14.653Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T09:16:20.967

Modified: 2026-04-16T19:59:38.107

Link: CVE-2026-34197

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-07T07:50:10Z

Links: CVE-2026-34197 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T09:00:06Z

Weaknesses