Security researchers found a remote code execution flaw in Apache ActiveMQ Classic that had gone unnoticed for 13 years and can let attackers run arbitrary commands, according to a technical disclosure from Horizon3. The bug, tracked as CVE-2026-34197, carries a high severity score of 8.8 and affects ActiveMQ/Broker versions before 5.19.4 and all versions from 6.0.0 through 6.2.3.
KEY FACTS
- Discovery The issue was found with help from the Claude AI assistant.
- Scope It affects Apache ActiveMQ Classic, not the newer Artemis branch.
- Fix Apache addressed the flaw on March 30 in versions 5.19.4 and 6.2.3.
- Risk In some versions, a separate bug makes the path unauthenticated.
Apache ActiveMQ is a Java message broker used for asynchronous communication through message queues or topics. The affected Classic edition is widely deployed in enterprise systems, web backends, government networks and other Java-based environments.
According to the report, the flaw sits in the Jolokia management API, which exposes a broker function that can be abused to load external configuration. A specially crafted request can make the broker fetch a remote Spring XML file and execute commands during initialization.
The issue normally requires authentication through Jolokia. On versions 6.0.0 through 6.1.1, however, a separate bug tracked as CVE-2024-32114 exposes the API without access control, which makes the path unauthenticated.
The disclosure says signs of exploitation can be checked in broker logs by looking for suspicious connections that use the VM transport protocol and the brokerConfig=xbean:http:// parameter. It adds that command execution happens during repeated connection attempts, and a configuration warning can appear only after the payload has already run.
WHY IT MATTERS
ActiveMQ has been a target in earlier real-world attacks, and the researchers said the new flaw should be treated as high priority. Organizations running affected versions may need to patch quickly and review logs for signs of abuse.