A 13-year-old remote code execution vulnerability (CVE-2026-34197, CVSS 8.8) has been discovered in Apache ActiveMQ Classic, affecting versions before 5.19.4 and 6.0.0–6.2.3. The flaw was found by Horizon3 researcher Naveen Sunkavally using Claude AI, which identified how multiple components (Jolokia, JMX, network connectors, VM transports) interact dangerously together. An attacker can exploit the Jolokia management API to load a remote Spring XML file and execute arbitrary system commands. On versions 6.0.0–6.1.1, a separate bug (CVE-2024-32114) makes the attack unauthenticated. Apache patched the issue in versions 6.2.3 and 5.19.4. Organizations are urged to treat this as high priority given ActiveMQ's history of being targeted in real-world attacks.
Table of contents
Related Articles:Sort: