A remote code execution vulnerability that lurked in Apache ActiveMQ Classic for 13 years can be chained with an older flaw to bypass authentication and force the broker to retrieve and execute remote configuration files via the Jolokia API. Horizon3.ai identifies the issue as CVE-2026-34197, explains it can be combined with CVE-2022-41678 and, in some deployments, CVE-2024-32114 to achieve unauthenticated RCE through the VM transport, and notes fixes in ActiveMQ Classic 5.19.4 and 6.2.3 #ApacheActiveMQ #CVE202634197
Keypoints
- CVE-2026-34197 allows attackers to invoke management operations via the Jolokia API to fetch remote configs and execute OS commands.
- The flaw serves as a bypass for CVE-2022-41678, which enables writing webshells to disk through specific JDK MBeans.
- Exploitation requires leveraging ActiveMQβs VM transport to create an embedded broker that loads attacker-supplied configuration URLs.
- On some deployments, CVE-2024-32114 exposes Jolokia without authentication, enabling RCE without credentials.
- Patches are available in ActiveMQ Classic 5.19.4 and 6.2.3, and users should update their deployments immediately.
Read More: https://www.securityweek.com/rce-bug-lurked-in-apache-activemq-classic-for-13-years/