CISA said a high-severity flaw in Apache ActiveMQ Classic is being actively exploited in the wild and added CVE-2026-34197 to its Known Exploited Vulnerabilities catalog on April 16, 2026. The agency set an April 30 deadline for Federal Civilian Executive Branch agencies to apply fixes.
KEY FACTS
- Severity The flaw has a CVSS score of 8.8.
- Effect It can enable code injection and arbitrary code execution on affected systems.
- Affected versions ActiveMQ Broker and activemq-all releases before 5.19.4 and 6.0.0 before 6.2.3 are impacted.
- Fix Apache says users should upgrade to 5.19.4 or 6.2.3.
A vendor advisory says the issue stems from improper input validation. The weakness can let an attacker use the Jolokia management API to make the broker fetch a remote configuration file and run operating system commands.
According to the disclosure, credentials are normally required, but default admin credentials are common in some environments. In versions 6.0.0 through 6.1.1, CVE-2024-32114 can expose Jolokia without authentication, which makes this flaw effectively unauthenticated in those releases.
No public details have been released on the exact active exploitation method. The report said threat actors are targeting exposed Jolokia management endpoints, and Fortinet telemetry recorded dozens of attempts over the past few days, with activity peaking on April 14.
Apache ActiveMQ has been targeted repeatedly in past campaigns, including exploitation of CVE-2023-46604 in August 2025 to drop the DripDropper malware. Security researchers said exposed management interfaces can support data theft, service disruption or lateral movement, which is why organizations are being told to restrict access and disable Jolokia where it is not needed.
WHY IT MATTERS
The case shows how quickly newly disclosed flaws can be weaponized, especially in widely deployed infrastructure software. Systems with exposed management interfaces may face immediate risk until updates are applied and access is tightened.