CVE-2026-34197
CISA KEVCritical remote code execution vulnerability in Apache ActiveMQ Classic residing in the interaction between the Jolokia JMX-HTTP bridge, the broker's network connector management API, and Spring Framework's XML application context loading mechanism. The Jolokia REST API at /api/jolokia/ permits exec operations on all ActiveMQ MBeans due to an overly permissive allowlist introduced after the CVE-2022-41678 fix. An attacker invokes BrokerService.addNetworkConnector() with a crafted VM transport URI containing a brokerConfig=xbean:http:// parameter pointing to a malicious Spring XML file. Spring's ResourceXmlApplicationContext fetches the remote XML and instantiates singleton beans — including MethodInvokingFactoryBean calling Runtime.exec() — before the BrokerService validates the configuration, yielding reliable arbitrary OS command execution. Exploitation requires Jolokia authentication (default admin:admin widely deployed), but on ActiveMQ 6.0.0-6.1.1 the vulnerability is effectively unauthenticated due to CVE-2024-32114 exposing the Jolokia API without access control. The flaw existed undetected for approximately 13 years.
CVSS v3 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-20, CWE-94