A remote code execution (RCE) vulnerability that lurked in Apache ActiveMQ Classic for 13 years could be chained with an older flaw to bypass authentication, Horizon3.ai reports.
An open source messaging and Integration Patterns server, Apache ActiveMQ acts as a middleware broker that handles message queues and is widely used across numerous industries. ActiveMQ Classic is the original version of the broker.
Tracked as CVE-2026-34197, the newly identified bug allows attackers to invoke management operations through the Jolokia API and entice the broker to retrieve a remote configuration file and execute OS commands.
According to Horizon3.ai, the security defect is a bypass for CVE-2022-41678, a bug that allows attackers to write webshells to disk by invoking specific JDK MBeans.
The fix, the cybersecurity firm explains, added a flag allowing for all operations on every ActiveMQ MBeans to be callable through Jolokia. The code execution issue was identified in an operation that sets up broker-to-broker bridges at runtime.
The bug’s exploitation, however, also requires targeting ActiveMQ’s VM transport feature, which was designed for embedding a broker inside an application. This results in the client and broker communicating directly within the same JVM.
If a VM transport URI references an inexistent broker, ActiveMQ creates one and accepts a parameter instructing it to load a configuration that could include attacker-supplied URLs.
By chaining the two mechanisms, an attacker could trick the broker into retrieving and running a Spring XML configuration file that “instantiates all bean definitions, resulting in remote code execution,” Horizon3.ai says.
The cybersecurity firm also notes that, on some deployments, RCE could be achieved without authentication by exploiting CVE-2024-32114, which exposes the Jolokia API to unauthenticated users.
“CVE-2024-32114 is a separate vulnerability in ActiveMQ 6.x where the /api/* path, which includes the Jolokia endpoint, was inadvertently removed from the web console’s security constraints. This means Jolokia is completely unauthenticated on ActiveMQ versions 6.0.0 through 6.1.1,” Horizon3.ai explains.
The newly discovered security defect was addressed in ActiveMQ Classic versions 5.19.4 and 6.2.3. Users are advised to update their deployments as soon as possible.
Related: Hackers Targeting Ninja Forms Vulnerability That Exposes WordPress Sites to Takeover
Related: Anthropic Unveils ‘Claude Mythos’ – A Cybersecurity Breakthrough That Could Also Supercharge Attacks
Related: Critical Flowise Vulnerability in Attacker Crosshairs
