Security researchers discovered a remote code execution vulnerability in Apache ActiveMQ Classic that went undetected for 13 years and can be exploited to run arbitrary system commands. Tracked as CVE-2026-34197 and found with the help of the Claude AI assistant, the flaw stems from Jolokia’s exposed addNetworkConnector enabling remote Spring XML loading. #ApacheActiveMQ #CVE-2026-34197
Keypoints
- A critical RCE in ActiveMQ Classic (CVE-2026-34197) impacts versions before 5.19.4 and 6.0.0–6.2.3.
- An attacker can force the broker to fetch a remote Spring XML and execute arbitrary system commands during initialization.
- The issue was uncovered with Claude AI, which stitched together interactions across Jolokia, JMX, network connectors, and VM transports.
- Although Jolokia normally requires authentication, versions 6.0.0–6.1.1 are exposed unauthenticated due to CVE-2024-32114.
- Apache fixed the flaw in 5.19.4 and 6.2.3; organizations should prioritize patching and search broker logs for VM transport activity and brokerConfig=xbean:http:// indicators.