CVE-2026-34197

HIGH KEV NUCLEI LAB

Apache ActiveMQ Broker, Apache ActiveMQ: Authenticated users could perform RCE via Jolokia MBeans

Title source: cna
STIX 2.1

Exploitation Summary

CVE-2026-34197 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added April 16, 2026. EIP tracks 16 public exploits from researchers including adminlove520, dinosn, hnytgl, including a Metasploit module exploits/multi/http/apache_activemq_jolokia_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-34197, targeting Apache ActiveMQ via Jolokia MBean manipulation to achieve remote code execution (RCE). The exploit leverages a malicious Spring XML payload served over HTTP to execute arbitrary commands on the target system.

Description

Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ All: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.3. Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue

Exploits (16)

github WORKING POC 3 stars
by adminlove520 · pythonpoc
https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2026/CVE-2026-34197

This repository contains a functional exploit for CVE-2026-34197, targeting Apache ActiveMQ via Jolokia MBean manipulation to achieve remote code execution (RCE). The exploit leverages a malicious Spring XML payload served over HTTP to execute arbitrary commands on the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache ActiveMQ (likely versions prior to the fix for CVE-2026-34197)
Auth required
Prerequisites: Access to Jolokia API endpoint · Valid credentials for authentication · Network connectivity to the target
devstral-2 · analyzed May 04, 2026 Full analysis →
nomisec WORKING POC 2 stars
by dinosn · remote-auth
https://github.com/dinosn/CVE-2026-34197

This repository contains a functional exploit for CVE-2026-34197, targeting Apache ActiveMQ via Jolokia MBean manipulation to achieve remote code execution (RCE). The exploit leverages a VM transport with a malicious Spring XML payload served over HTTP to execute arbitrary commands on the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache ActiveMQ (likely versions up to 5.18.6)
Auth required
Prerequisites: Access to Jolokia endpoint · Valid credentials for authentication · Network connectivity to the target
devstral-2 · analyzed Apr 08, 2026 Full analysis →
github WORKING POC 1 stars
by hnytgl · pythonremote-auth
https://github.com/hnytgl/cve-2026-34197

This repository contains a functional Python exploit for CVE-2026-34197, targeting Apache ActiveMQ Classic via Jolokia API to add a malicious NetworkConnector. It includes pre-exploitation checks, credential handling, and cleanup functionality.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache ActiveMQ Classic
Auth required
Prerequisites: Valid ActiveMQ credentials · Access to Jolokia API endpoint · Attacker-controlled XML file URL
devstral-2 · analyzed May 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by Catherines77 · poc
https://github.com/Catherines77/ActiveMQ-EXPtools

This repository contains a Java-based tool for detecting and exploiting multiple Apache ActiveMQ vulnerabilities, including CVE-2026-34197. It includes functional exploit code for deserialization attacks and other vulnerabilities, with a GUI for ease of use.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache ActiveMQ
Auth required
Prerequisites: target URL · authentication credentials for certain exploits
devstral-2 · analyzed Apr 20, 2026 Full analysis →
nomisec WORKING POC 1 stars
by xshysjhq · remote
https://github.com/xshysjhq/CVE-2026-34197-payload-Apache-ActiveMQ-

This repository contains a functional exploit for CVE-2026-34197, targeting Apache ActiveMQ's Jolokia API to achieve remote code execution (RCE) via malicious Spring XML configuration. The exploit leverages the `addNetworkConnector` operation to force ActiveMQ to parse a crafted XML payload, executing system commands through `MethodInvokingFactoryBean`.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache ActiveMQ (e.g., apache/activemq-classic:6.1.0)
No auth needed
Prerequisites: Python 3 · requests library · publicly accessible attacker server for hosting payload.xml · target with exposed Jolokia API
devstral-2 · analyzed Apr 20, 2026 Full analysis →
nomisec WORKING POC
by asdasddqwdq29-a11y · remote-auth
https://github.com/asdasddqwdq29-a11y/CVE-2026-34197

This repository contains functional exploit code for CVE-2026-34197, targeting Apache ActiveMQ via Jolokia API to achieve RCE. The exploit chain involves adding a malicious network connector that fetches a Spring XML payload, leading to command execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache ActiveMQ Classic < 5.19.4 / 6.0.0 - 6.2.2
Auth required
Prerequisites: Jolokia API access · valid credentials · network connectivity to attacker-controlled server
devstral-2 · analyzed Jun 06, 2026 Full analysis →
github WORKING POC
by XZ1r0 · pythonpoc
https://github.com/XZ1r0/cve-2026-poc-collection/tree/main/other/CVE-2026-34197

This repository contains a functional exploit for CVE-2026-34197, targeting Apache ActiveMQ via Jolokia MBean and VM Transport to achieve remote code execution. The exploit chain involves serving a malicious Spring XML payload and triggering its execution through a crafted Jolokia request.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache ActiveMQ (likely versions up to 5.18.6)
Auth required
Prerequisites: Access to Jolokia API · Valid credentials for authentication · Network connectivity to the target
devstral-2 · analyzed May 21, 2026 Full analysis →
nomisec WORKING POC
by rootdirective-sec · poc
https://github.com/rootdirective-sec/CVE-2026-34197-Lab

This repository contains a functional proof-of-concept for CVE-2026-34197, demonstrating an RCE vulnerability in Apache ActiveMQ Classic via the Jolokia JMX-HTTP API. It includes a Docker lab with vulnerable and patched versions, a detection script, and a constrained RCE PoC that executes a fixed command.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache ActiveMQ Classic 5.19.3
Auth required
Prerequisites: authenticated access to Jolokia API · visibility of Broker MBean
devstral-2 · analyzed May 08, 2026 Full analysis →
nomisec SCANNER
by keraattin · poc
https://github.com/keraattin/CVE-2026-34197

This repository contains a Python script designed to detect Apache ActiveMQ instances vulnerable to CVE-2026-34197 by checking for exposed Jolokia API endpoints and version information. It does not include exploit code but provides detailed version checks and authentication testing.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Apache ActiveMQ Classic (versions before 5.19.4 and 6.2.3)
No auth needed
Prerequisites: Network access to the target ActiveMQ instance · Jolokia API endpoint exposed
devstral-2 · analyzed Apr 15, 2026 Full analysis →
nomisec WORKING POC
by hg0434hongzh0 · remote-auth
https://github.com/hg0434hongzh0/CVE-2026-34197

This PoC exploits CVE-2026-34197 by leveraging Jolokia API to add a malicious network connector in Apache ActiveMQ, forcing the parsing of an external XML configuration to achieve RCE. The exploit targets versions 6.0.0-6.1.1 and includes cleanup steps to remove residual connectors.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache ActiveMQ 6.0.0-6.1.1
No auth needed
Prerequisites: Access to Jolokia API endpoint · Attacker-controlled server hosting malicious XML
devstral-2 · analyzed Apr 10, 2026 Full analysis →
nomisec WORKING POC
by KONDORDEVSECURITYCORP · poc
https://github.com/KONDORDEVSECURITYCORP/CVE-2026-34197

This repository contains a functional exploit for CVE-2026-34197, a critical RCE vulnerability in Apache ActiveMQ via the Jolokia API. The exploit leverages the addNetworkConnector MBean method to trigger remote Spring XML injection, leading to arbitrary command execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache ActiveMQ Classic < 5.19.4 and 6.0.0 — 6.2.2
Auth required
Prerequisites: Access to Jolokia API (port 8161) · Valid credentials (default: admin:admin) · Network connectivity to serve payload
devstral-2 · analyzed Apr 10, 2026 Full analysis →
nomisec WORKING POC
by AtoposX-J · poc
https://github.com/AtoposX-J/CVE-2026-34197-Apache-ActiveMQ-RCE

This repository contains a functional exploit for CVE-2026-34197, targeting Apache ActiveMQ via the Jolokia API to achieve remote code execution (RCE). The exploit leverages the addNetworkConnector operation to force the broker to download and execute a malicious Spring XML configuration file.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache ActiveMQ Classic < 5.19.4, 6.0.0 — 6.2.2
No auth needed
Prerequisites: Network access to the Jolokia API endpoint · Python environment with requests library
devstral-2 · analyzed Apr 09, 2026 Full analysis →
nomisec WORKING POC
by DEVSECURITYSPRO · remote-auth
https://github.com/DEVSECURITYSPRO/CVE-2026-34197

This repository contains a functional exploit for CVE-2026-34197, an RCE vulnerability in Apache ActiveMQ Classic via the Jolokia API. The exploit leverages the `addNetworkConnector` MBean operation to force the broker to download and execute a malicious Spring XML configuration file, leading to arbitrary command execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache ActiveMQ Classic < 5.19.4, 6.0.0 — 6.2.2
Auth required
Prerequisites: Network access to port 8161 · Valid credentials (default: admin:admin) or unauthenticated access in versions 6.0.0—6.1.1
devstral-2 · analyzed Apr 09, 2026 Full analysis →
nomisec WRITEUP
by 0xBlackash · poc
https://github.com/0xBlackash/CVE-2026-34197

This repository provides a detailed technical analysis of CVE-2026-34197, an authenticated RCE vulnerability in Apache ActiveMQ via Jolokia MBeans. It includes root cause analysis, affected versions, mitigation steps, and detection ideas.

Classification
Writeup 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache ActiveMQ < 5.19.4, 6.0.0 - 6.2.2
Auth required
Prerequisites: Authenticated access to Jolokia endpoint · Exposed /api/jolokia/ endpoint
devstral-2 · analyzed Apr 08, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by dinosn, h00die · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/apache_activemq_jolokia_rce.rb

This Metasploit module exploits CVE-2026-34197 in Apache ActiveMQ by leveraging the Jolokia JMX-over-HTTP API to add a malicious network connector. The connector fetches a remote Spring XML configuration that instantiates a ProcessBuilder bean, executing arbitrary OS commands.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache ActiveMQ (with Jolokia API exposed)
Auth required
Prerequisites: Jolokia API accessible at /api/jolokia/ · Valid credentials (default: admin:admin) · Network access to target
devstral-2 · analyzed May 29, 2026 Full analysis →

Nuclei Templates (1)

Apache ActiveMQ - Remote Code Execution
CRITICALVERIFIEDby DhiyaneshDk,horizon3
Shodan: title:"ActiveMQ" port:8161
FOFA: title="ActiveMQ" && port="8161"

References (3)

Core 3

Scores

CVSS v3 8.8
EPSS 0.8346
EPSS Percentile 99.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Lab Environment

COMMUNITY SUSPICIOUS
Community Lab
docker pull apache/activemq-classic:5.18.6
docker pull eclipse-temurin:17-jre-jammy
docker pull alfresco/alfresco-activemq:6.2.1-jre17-rockylinux8
+13 more repos

Details

CISA KEV 2026-04-16
VulnCheck KEV 2026-04-16
ENISA EUVD EUVD-2026-19588
CWE
CWE-20 CWE-94
Status published
Products (10)
apache/activemq < 5.19.4
apache/activemq_broker < 5.19.4
Apache Software Foundation/Apache ActiveMQ < 5.19.4
Apache Software Foundation/Apache ActiveMQ 6.0.0 - 6.2.3
Apache Software Foundation/Apache ActiveMQ All < 5.19.4
Apache Software Foundation/Apache ActiveMQ All 6.0.0 - 6.2.3
Apache Software Foundation/Apache ActiveMQ Broker < 5.19.4
Apache Software Foundation/Apache ActiveMQ Broker 6.0.0 - 6.2.3
org.apache.activemq/activemq-all 0 - 5.19.5Maven
org.apache.activemq/activemq-broker 0 - 5.19.5Maven
Published Apr 07, 2026
KEV Added Apr 16, 2026
Tracked Since Apr 07, 2026