A newly disclosed security flaw in Apache ActiveMQ Classic is drawing urgent attention after researchers said the bug had been sitting unnoticed for 13 years and could let attackers execute code on vulnerable systems. The issue, tracked as CVE-2026-34197, was described by Horizon3.ai chief architect Naveen Sunkavally in an April 7 post that said the weakness should be treated as a high-priority risk, particularly in environments where default credentials remain in place. Apache has also published its own advisory confirming the vulnerability and the patched versions.
Apache’s advisory says the flaw affects Apache ActiveMQ Broker before version 5.19.4 and the 6. x line from 6.0.0 up to, but not including, 6.2.3. The foundation said the problem lies in the way ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge through the web console, allowing an authenticated attacker to invoke management operations with a crafted URI that can trigger remote loading of a Spring XML application context and, in turn, arbitrary code execution within the broker’s Java virtual machine. Apache credited Sunkavally as the finder and urged users to upgrade to versions 5.19.4 or 6.2.3.
The case has attracted wider notice because the vulnerability appears to combine an old design weakness with present-day exposure patterns. Horizon3. ai said the attack requires credentials in many deployments, but warned that the long-criticised use of default “admin:admin” credentials remains common enough to turn a nominally authenticated flaw into a practical one. The firm added that on versions 6.0.0 to 6.1.1, the risk becomes more severe because of CVE-2024-32114, a separate issue in which the default configuration failed to secure the API web context, including Jolokia. That means some systems in that range may expose the path without authentication, effectively broadening the attack surface.
Apache ActiveMQ is one of the better-known open-source message brokers used to move data between applications in distributed systems. The project says it supports multiple protocols and is widely used in enterprise integration settings. That footprint helps explain why each serious vulnerability in the software tends to get scrutiny well beyond the software supply chain community. ActiveMQ Classic, the product affected here, is distinct from ActiveMQ Artemis, which is a newer implementation and is not identified in the advisory for this flaw.
Cybersecurity specialists are also watching the disclosure through the lens of ActiveMQ’s attack history. Horizon3. ai noted that two earlier ActiveMQ vulnerabilities, CVE-2016-3088 and CVE-2023-46604, are already on the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalogue. CISA entries show both flaws have been tied to real-world exploitation, underscoring why defenders often react quickly when new remote code execution paths emerge in the broker. The background matters because it suggests attackers are familiar with the product and willing to target it when opportunities arise.
The chronology is tight. Apache’s download and security pages show ActiveMQ Classic 6.2.3 was released on March 30, 2026, and version 5.19.4 on March 31, 2026, with both now listed as the fixed builds for supported branches. Sunkavally’s public write-up followed on April 7, laying out the technical chain that can lead from a management operation to remote code execution. That sequence suggests coordinated handling between discovery, patching and broader disclosure, though the public material available so far is more detailed on the technical mechanism than on the vendor-researcher timeline.
For operators, the practical issue is less the age of the bug than the conditions that make it exploitable. Organisations running supported ActiveMQ Classic branches need to verify whether they are on 5.19.4 or 6.2.3, review whether the web console and Jolokia endpoints are exposed, and check whether weak or inherited credentials remain in place. Users on deprecated lines face a more difficult decision because Apache’s own release table marks several older branches as unsupported, meaning no ongoing fixes are expected there. That leaves some environments exposed not only to this flaw but to the broader risks that come with ageing middleware still embedded deep inside production systems.
Apache’s advisory says the flaw affects Apache ActiveMQ Broker before version 5.19.4 and the 6. x line from 6.0.0 up to, but not including, 6.2.3. The foundation said the problem lies in the way ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge through the web console, allowing an authenticated attacker to invoke management operations with a crafted URI that can trigger remote loading of a Spring XML application context and, in turn, arbitrary code execution within the broker’s Java virtual machine. Apache credited Sunkavally as the finder and urged users to upgrade to versions 5.19.4 or 6.2.3.
The case has attracted wider notice because the vulnerability appears to combine an old design weakness with present-day exposure patterns. Horizon3. ai said the attack requires credentials in many deployments, but warned that the long-criticised use of default “admin:admin” credentials remains common enough to turn a nominally authenticated flaw into a practical one. The firm added that on versions 6.0.0 to 6.1.1, the risk becomes more severe because of CVE-2024-32114, a separate issue in which the default configuration failed to secure the API web context, including Jolokia. That means some systems in that range may expose the path without authentication, effectively broadening the attack surface.
Apache ActiveMQ is one of the better-known open-source message brokers used to move data between applications in distributed systems. The project says it supports multiple protocols and is widely used in enterprise integration settings. That footprint helps explain why each serious vulnerability in the software tends to get scrutiny well beyond the software supply chain community. ActiveMQ Classic, the product affected here, is distinct from ActiveMQ Artemis, which is a newer implementation and is not identified in the advisory for this flaw.
Cybersecurity specialists are also watching the disclosure through the lens of ActiveMQ’s attack history. Horizon3. ai noted that two earlier ActiveMQ vulnerabilities, CVE-2016-3088 and CVE-2023-46604, are already on the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalogue. CISA entries show both flaws have been tied to real-world exploitation, underscoring why defenders often react quickly when new remote code execution paths emerge in the broker. The background matters because it suggests attackers are familiar with the product and willing to target it when opportunities arise.
The chronology is tight. Apache’s download and security pages show ActiveMQ Classic 6.2.3 was released on March 30, 2026, and version 5.19.4 on March 31, 2026, with both now listed as the fixed builds for supported branches. Sunkavally’s public write-up followed on April 7, laying out the technical chain that can lead from a management operation to remote code execution. That sequence suggests coordinated handling between discovery, patching and broader disclosure, though the public material available so far is more detailed on the technical mechanism than on the vendor-researcher timeline.
For operators, the practical issue is less the age of the bug than the conditions that make it exploitable. Organisations running supported ActiveMQ Classic branches need to verify whether they are on 5.19.4 or 6.2.3, review whether the web console and Jolokia endpoints are exposed, and check whether weak or inherited credentials remain in place. Users on deprecated lines face a more difficult decision because Apache’s own release table marks several older branches as unsupported, meaning no ongoing fixes are expected there. That leaves some environments exposed not only to this flaw but to the broader risks that come with ageing middleware still embedded deep inside production systems.
Topics
Technology