Apache ActiveMQ CVE-2026-34197 Added to CISA KEV Amid Active Exploitation

Ravie LakshmananApr 17, 2026Vulnerability / Enterprise Security

A recently disclosed high-severity security flaw in Apache ActiveMQ Classic has come under active exploitation in the wild, per the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

To that end, the agency has added the vulnerability, tracked as CVE-2026-34197 (CVSS score: 8.8), to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by April 30, 2026.

CVE-2026-34197 has been described as a case of improper input validation that could lead to code injection, effectively allowing an attacker to execute arbitrary code on susceptible installations. According to Horizon3.ai’s Naveen Sunkavally, CVE-2026-34197 has been “hiding in plain sight” for 13 years.

“An attacker can invoke a management operation through ActiveMQ’s Jolokia API to trick the broker into fetching a remote configuration file and running arbitrary OS commands,” Sunkavally added.

“The vulnerability requires credentials, but default credentials (admin:admin) are common in many environments. On some versions (6.0.0–6.1.1), no credentials are required at all due to another vulnerability, CVE-2024-32114, which inadvertently exposes the Jolokia API without authentication. In those versions, CVE-2026-34197 is effectively an unauthenticated RCE.”

The vulnerability impacts the following versions –

Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) before 5.19.4
Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 6.0.0 before 6.2.3
Apache ActiveMQ (org.apache.activemq:activemq-all) before 5.19.4
Apache ActiveMQ (org.apache.activemq:activemq-all) 6.0.0 before 6.2.3

Users are advised to upgrade to version 5.19.4 or 6.2.3, which addresses the issue. There are currently no details on how CVE-2026-34197 is being exploited in the wild, but SAFE Security, in a report published this week, revealed that…

Source