# CVE-2026-34197

> Critical remote code execution vulnerability in Apache ActiveMQ Classic residing in the interaction between the Jolokia JMX-HTTP bridge, the broker's network connector management API, and Spring Framework's XML application context loading mechanism. The Jolokia REST API at /api/jolokia/ permits exec operations on all ActiveMQ MBeans due to an overly permissive allowlist introduced after the CVE-2022-41678 fix. An attacker invokes BrokerService.addNetworkConnector() with a crafted VM transport URI containing a brokerConfig=xbean:http:// parameter pointing to a malicious Spring XML file. Spring'

- **CVSS:** 8.8 (HIGH)
- **EPSS:** 84.2%
- **CISA KEV:** yes
- **CWE:** CWE-20, CWE-94

Canonical: https://intel.threadlinqs.com/cve/CVE-2026-34197
Full threat coverage + IOCs via the Threadlinqs MCP server (Purple tier): https://intel.threadlinqs.com/mcp