Description
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ.

Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including
BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String).

An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext.
Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec().



This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ All: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.3.



Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue
Published: 2026-04-07
Score: 8.8 High
EPSS: 96.7% High
KEV: Yes
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated attacker with broker credentials can use the Jolokia JMX‑HTTP bridge exposed at /api/jolokia/ to execute arbitrary code on an ActiveMQ broker. The vulnerable interface allows exec operations on all ActiveMQ MBeans, including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). By providing a crafted discovery URI, the attacker forces the VM transport’s brokerConfig parameter to load a remote Spring XML application context with ResourceXmlApplicationContext, causing all singleton beans to be instantiated before broker configuration is validated. This leads to code injection via native methods such as Runtime.exec(), resulting in arbitrary code execution within the broker’s JVM. The flaw is classified as Improper Input Validation (CWE‑20), Improper Control of Generation of Code (CWE‑94), and System Interface Use with Untrusted Input (CWE‑78).

Affected Systems

The vulnerability affects Apache ActiveMQ, Apache ActiveMQ All, and Apache ActiveMQ Broker. Versions before 5.19.4 and all releases from 6.0.0 up to but not including 6.2.3 are impacted. These products expose the Jolokia interface by default, enabling the exploitation path outlined above.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity risk, and the EPSS score of 96% reflects a very high likelihood of exploitation in the wild. Additionally the vulnerability is listed in the CISA KEV catalog, confirming active exploitation. An attacker must gain authenticated access and send a crafted request to the /api/jolokia/ endpoint; once done, arbitrary code runs with the privileges of the broker process.

Generated by OpenCVE AI on June 24, 2026 at 12:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch by upgrading Apache ActiveMQ to version 5.19.4 or later 6.2.3, which resolves the vulnerability.
  • If an upgrade is not immediately possible, restrict or disable the Jolokia JMX‑HTTP bridge (remove the /api/jolokia/ endpoint) or enforce a stricter access policy that denies exec operations on ActiveMQ MBeans.
  • Ensure the ActiveMQ broker is protected by strong authentication and limited to trusted networks; consider firewall rules to block external access to the Jolokia interface and other management ports.

Generated by OpenCVE AI on June 24, 2026 at 12:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rxpj-7qvf-xv32 Authenticated Apache ActiveMQ Broker and Apache ActiveMQ users could perform RCE via Jolokia MBeans
History

Thu, 16 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache activemq Broker
CPEs cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq_broker:*:*:*:*:*:*:*:*
Vendors & Products Apache activemq Broker

Thu, 16 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 16 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Metrics kev

{'dateAdded': '2026-04-16T00:00:00+00:00', 'dueDate': '2026-04-30T00:00:00+00:00'}


Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache activemq
Vendors & Products Apache
Apache activemq

Wed, 08 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Description Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: . Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue. Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ All: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.3. Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue
Title Apache ActiveMQ Broker, Apache ActiveMQ: Authenticated users could perform RCE via Jolokia MBeans Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Authenticated users could perform RCE via Jolokia MBeans

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: . Users are recommended to upgrade to version 5.19.5 or 6.2.3, which fixes the issue. Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: . Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue.

Wed, 08 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-78
References
Metrics threat_severity

None

threat_severity

Important


Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 07 Apr 2026 09:30:00 +0000

Type Values Removed Values Added
References

Tue, 07 Apr 2026 08:15:00 +0000

Type Values Removed Values Added
Description Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: . Users are recommended to upgrade to version 5.19.5 or 6.2.3, which fixes the issue.
Title Apache ActiveMQ Broker, Apache ActiveMQ: Authenticated users could perform RCE via Jolokia MBeans
Weaknesses CWE-20
CWE-94
References

Subscriptions

Apache Activemq Activemq Broker
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-07-15T01:04:40.284Z

Reserved: 2026-03-26T14:51:21.456Z

Link: CVE-2026-34197

cve-icon Vulnrichment

Updated: 2026-04-07T08:29:14.653Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T09:16:20.967

Modified: 2026-06-17T10:38:38.260

Link: CVE-2026-34197

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-07T07:50:10Z

Links: CVE-2026-34197 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T12:45:04Z

Weaknesses
  • CWE-20

    Improper Input Validation

  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

  • CWE-94

    Improper Control of Generation of Code ('Code Injection')