An AI assistant lately uncovered a vital distant code execution (RCE) vulnerability in Apache ActiveMQ Traditional that went unnoticed for 13 years.
Tracked as CVE-2026-34197, this flaw permits attackers to power the message dealer to obtain a distant configuration file and execute arbitrary working system instructions.
Whereas exploiting this usually requires administrator credentials, a separate flaw in particular variations makes it exploitable with none authentication.
Breaking Down the Exploit
ActiveMQ Traditional features a web-based administration console that makes use of Jolokia, an interface exposing dealer administration operations as a REST API.
After a earlier vulnerability in 2023, builders restricted Jolokia to read-only operations by default however allowed all operations on ActiveMQ’s personal administration beans (MBeans) to maintain the console purposeful.
This blanket permission left a harmful loophole. Attackers can name a selected operation named addNetworkConnector by the Jolokia API. Usually, builders use this characteristic to hyperlink brokers collectively for load balancing.
Nonetheless, by supplying a crafted vm:// URI, an inner transport protocol meant for embedded testing, the dealer makes an attempt to create a brand new connection.
If the attacker factors this URI to a malicious, distant Spring XML configuration file, the dealer fetches and executes the file, granting the attacker full system management.
For instance, an attacker merely sends a JSON payload to the Jolokia API containing a rogue xbean:http:// URL, instructing the server to run a malicious script upon connection.
Beneath regular circumstances, an attacker wants default credentials (comparable to admin:admin) to entry the Jolokia endpoint.
Nonetheless, organizations operating ActiveMQ variations 6.0.0 by 6.1.1 face a a lot greater danger.
A separate vulnerability, CVE-2024-32114, unintentionally eliminated safety constraints from the API path.
In these particular variations, the Jolokia endpoint is totally uncovered, turning CVE-2026-34197 into an unauthenticated RCE assault.
Safety researcher Naveen Sunkavally found this flaw utilizing the Claude AI mannequin, demonstrating how giant language fashions are remodeling vulnerability searching.
By prompting the AI to analyse the codebase for accessible endpoints and prior vulnerabilities, the mannequin pieced collectively the complicated interplay between Jolokia, JMX, and community connectors in simply 10 minutes, a job that always takes human researchers weeks of guide assessment.
Securing ActiveMQ Deployments
Organizations utilizing ActiveMQ should deal with this as a excessive precedence, given the software program’s historical past of being focused by ransomware teams and nation-state actors.
To guard your infrastructure:
- Replace instantly to ActiveMQ Traditional variations 5.19.4 or 6.2.3, which take away the harmful
vm://transport functionality from distant operations. - Change all default credentials, particularly the usual
admin:adminmixture. - Monitor dealer logs for suspicious community connector exercise, particularly in search of
vm://URIs mixed withbrokerConfig=xbean:httpparameters. - Look ahead to sudden POST requests to the
/api/jolokia/path containingaddNetworkConnectorwithin the physique. - Arrange alerts for sudden outbound HTTP requests originating from the ActiveMQ dealer course of or uncommon baby processes spawning from the Java utility.
Observe us on Google Information, LinkedIn, and X to Get Immediate Updates and Set GBH as a Most popular Supply in Google.
