Apache has patched a critical vulnerability in its ActiveMQ Broker, tracked as CVE-2026-34197, which has been actively exploited in the wild. This vulnerability, with a CVSS score of 8.8, affects the Jolokia JMX-HTTP bridge exposed at `/api/jolokia/` on the web console of Apache ActiveMQ Classic. The flaw arises from improper input validation and code injection issues, categorized under CWE-20 and CWE-94.
The vulnerability was disclosed on April 7, 2026, and within just 5.7 days, attackers began exploiting it. This rapid time-to-exploit highlights the urgency for organizations to patch their systems promptly. The flaw has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog as of April 16, 2026, underscoring its critical nature and the need for immediate remediation.
More than 6,000 instances of Apache ActiveMQ have been identified as vulnerable and exposed online, making them potential targets for attackers. The default Jolokia access policy, which permits exec operations, exacerbates the risk, allowing attackers to execute arbitrary code on affected systems. This could lead to unauthorized access, data breaches, and potentially severe disruptions to business operations.
Proof-of-concept (PoC) exploits for CVE-2026-34197 are readily available, with at least nine known PoCs circulating. This availability further increases the risk of exploitation, as even less sophisticated attackers can leverage these PoCs to compromise vulnerable systems.
Organizations using Apache ActiveMQ should prioritize applying the available patches to mitigate this risk. Additionally, they should review their Jolokia access policies to ensure that unnecessary permissions are not granted, thereby reducing the attack surface.
Given the active exploitation and the high number of exposed instances, security teams should also monitor their networks for signs of compromise and unusual activity related to ActiveMQ. Implementing network segmentation and robust access controls can help contain potential breaches and limit the impact of successful exploits.
In summary, CVE-2026-34197 represents a significant threat to organizations using Apache ActiveMQ. With active exploitation in the wild and a high number of vulnerable instances, immediate action is required to secure systems and prevent potential attacks.
CSURFACE