Apache has patched a critical remote code execution vulnerability in its ActiveMQ Broker, tracked as CVE-2026-34197, which is currently being exploited in the wild. This flaw, with a CVSS score of 8.8, affects the Jolokia JMX-HTTP bridge exposed at `/api/jolokia/` on the ActiveMQ web console. The vulnerability stems from improper input validation and code injection issues, categorized under CWE-20 and CWE-94.
The flaw was publicly disclosed on April 7, 2026, and was added to CISA's Known Exploited Vulnerabilities (KEV) catalog on April 16, 2026, highlighting its active exploitation status. Attackers have been quick to leverage this vulnerability, with exploitation occurring within just 5.7 days of its disclosure. The availability of nine proof-of-concept (PoC) exploits has further facilitated these attacks.
The vulnerability affects a significant number of systems, with over 6,000 publicly exposed Apache ActiveMQ instances identified as vulnerable. These instances are at risk of remote code execution, allowing attackers to execute arbitrary code on the affected systems. The default Jolokia access policy, which permits exec operations, exacerbates the risk by providing a straightforward path for exploitation.
Organizations using Apache ActiveMQ are urged to apply the available patches immediately to mitigate the risk of exploitation. The high severity of this vulnerability, combined with its active exploitation, makes it a critical priority for system administrators and security teams.
As attackers continue to exploit this vulnerability, defenders should ensure that their ActiveMQ instances are not publicly exposed and that access controls are properly configured. Monitoring for unusual activity on systems running ActiveMQ and reviewing logs for signs of exploitation attempts are also recommended to detect and respond to potential breaches promptly.
CSURFACE