{"id":233561,"date":"2026-04-17T03:56:00","date_gmt":"2026-04-17T07:56:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/04\/17\/u-s-cisa-adds-a-flaw-in-apache-activemq-to-its-known-exploited-vulnerabilities-catalog\/"},"modified":"2026-04-20T19:15:18","modified_gmt":"2026-04-20T23:15:18","slug":"u-s-cisa-adds-a-flaw-in-apache-activemq-to-its-known-exploited-vulnerabilities-catalog","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/04\/17\/u-s-cisa-adds-a-flaw-in-apache-activemq-to-its-known-exploited-vulnerabilities-catalog\/","title":{"rendered":"U.S. CISA adds a flaw in Apache ActiveMQ to its Known Exploited Vulnerabilities catalog"},"content":{"rendered":"

U.S. CISA adds a flaw in Apache ActiveMQ to its Known Exploited Vulnerabilities catalog<\/a><\/p>\n

https:\/\/securityaffairs.com\/190917\/security\/u-s-cisa-adds-a-flaw-in-apache-activemq-to-its-known-exploited-vulnerabilities-catalog.html<\/a><\/p>\n

Publish Date: 2026-04-17 03:56:00<\/a><\/p>\n

Source Domain: securityaffairs.com<\/a><\/p>\n

U.S. CISA adds a flaw in Apache ActiveMQ to its Known Exploited Vulnerabilities catalog<\/h2>\n<\/p>\n

\t\t\t\t\t\t\t Pierluigi Paganini<\/span>
\n\t\t\t\t\t\t\t\"\"\/ April 17, 2026<\/span><\/p>\n

\t\t\t\t\t\t\"\"\/<\/p>\n

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw in Apache ActiveMQ to its Known Exploited Vulnerabilities catalog<\/h2>\n

The U.S. Cybersecurity and Infrastructure Security Agency (CISA)\u00a0added\u00a0a flaw in Apache ActiveMQ, tracked as CVE-2026-34197 (CVSS score of 8.8), to its\u00a0Known Exploited Vulnerabilities (KEV) catalog.<\/p>\n

CVE-2026-34197 is a critical flaw in Apache ActiveMQ caused by improper input validation and unsafe code execution. It affects the Jolokia JMX-HTTP bridge exposed via the web console, which allows execution of certain management operations. <\/p>\n

An authenticated attacker can send crafted requests with a malicious discovery URI that forces the broker to load a remote Spring XML configuration. Because Spring initializes beans before validation, attackers can execute arbitrary code, for example via Runtime.exec(). This results in remote code execution on the broker\u2019s JVM. <\/p>\n

\u201cApache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at \/api\/jolokia\/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String).\u201d reads the advisory. \u201cAn authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport\u2019s brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring\u2019s ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker\u2019s JVM through bean factory methods such as Runtime.exec().\u201d<\/p>\n

The issue affects versions before 5.19.4 and 6.2.3, and users are strongly…<\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

U.S. CISA adds a flaw in Apache ActiveMQ to its Known Exploited Vulnerabilities catalog https:\/\/securityaffairs.com\/190917\/security\/u-s-cisa-adds-a-flaw-in-apache-activemq-to-its-known-exploited-vulnerabilities-catalog.html…<\/p>\n","protected":false},"author":1,"featured_media":233562,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/securityaffairs.com\/wp-content\/uploads\/2020\/07\/CISA.jpeg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24],"class_list":["post-233561","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/233561"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=233561"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/233561\/revisions"}],"predecessor-version":[{"id":233563,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/233561\/revisions\/233563"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/233562"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=233561"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=233561"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=233561"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}