—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Arbitrary Code injection Vulnerability in Apache ActiveMQ Classic

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: HIGH

Software Affected

Apache ActiveMQ Broker versions prior to 5.19.4

Apache ActiveMQ Broker versions 6.0.0 to 6.2.3

Apache ActiveMQ (activemq-all) versions prior to 5.19.4

Apache ActiveMQ (activemq-all) versions 6.0.0 to 6.2.3

Overview

A vulnerability has been reported in Apache ActiveMQ Classic which could allow an authenticated attacker to execute arbitrary code on the targeted system.

Target Audience:

Individuals and end-user organizations using affected Apache ActiveMQ. 

Risk Assessment:

High risk of arbitrary remote code execution, sensitive data disclosure, lateral movement and service disruptions.

Impact Assessment:

Potential for complete system compromise, unauthorized access, and execution of malicious commands.

Description

Apache ActiveMQ is an open-source message broker that supports messaging protocols such as JMS and is widely used in enterprise integration.

This vulnerability exists in Apache ActiveMQ due to improper input validation and unsafe handling of code execution through the Jolokia endpoint exposed at /api/jolokia/. An authenticated attacker could exploit this vulnerability by invoking these methods with a specially crafted discovery URI.

Successful exploitation of this vulnerability could allow an authenticated attacker to execute arbitrary code on the targeted system.

Solution

Apply appropriate updates as mentioned by the vendor:

https://activemq.apache.org/security-advisories.data/CVE-2026-34197-announcement.txt

Vendor Information

Apache ActiveMQ

https://activemq.apache.org/

References

Apache ActiveMQ

https://activemq.apache.org/security-advisories.data/CVE-2026-34197-announcement.txt

CVE Name

CVE-2026-34197

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmnjZm8ACgkQ3jCgcSdc

ys8JrRAAk4dA4dw1VGRnsco7gUWYM+zNf//ZOopVr2JUrZXgfmU3CgaPa8RWeoIF

MlmAKo4deSORaqUw/FOXlysgS/W30QHfKv2NIAvjesdsQ6IjzSI+Ux556gQPExaz

UwHPBPQshbX01i8kHYYXgVYaPT1kKnpBXyAyiBzMy452/3iu997KF+Er5cgbdHRy

3vPkzXQm26fXnoT9LYTbcjGdRdnzm1fulmCcVQ8eBaAU7Ilr/ELpr0kNYdYMAWhJ

/tk1/eiOCWxQYtL1p07cxZFCiwf0q4CSkMYC9bJhus1EQ7H/TFtGj+9NSXQasxm4

IdSjd1QRy010m5ArJEcpnjk6sQ16IoIMqexGr/apgMTtEvqAc/m5qJLzq+vom82A

eukp4n8hhoEx7G8WJiS8YEJLUoKVLXuYR+ouXGlsk7OeT21sqeab5FS9zJuo2KU9

o0cDFvuTrnLLjyEJ8xxxc4nUw4QKFq+oG0RZiAkfGSSkrc0roSgK7lk2qrseSZJj

4XFUK/dD9EslK2VLk/SUbEqnOSdd9Ele6RzRe+c5JY8JS5JeX+Uia+UnZI27YJuu

BKZS/7rcXsBvz0E8M2VqRDhd+4vkRZKmBVh0se1RRToSdP/4C+QIIchhQw3XYx5y

6ZNAJsUwpwNie5FNvuXnJbPdpX2T61pMxh7+zx0R71LAujNw/SE=

=2+xB

—–END PGP SIGNATURE—–