AN AI-powered vulnerability-hunting effort helped security researchers uncover a flaw in Apache ActiveMQ Classic that they claim had been hiding in plain sight for over a decade. According to Infosecurity Magazine, Horizon3[.]ai chief architect Naveen Sunkavally described CVE-2026-34197 as a high-priority RCE, noting that an attacker can trigger the Jolokia API to fetch a remote configuration file and run arbitrary OS commands, provided credentials are present.
In some versions (6.0.0–6.1.1), no credentials are required because CVE-2024-32114 exposes the Jolokia API without authentication; in those versions CVE-2026-34197 is effectively unauthenticated. CVE-2026-34197 was patched in ActiveMQ Classic versions 5.19.4 and 6.2.3, and users are advised to update and ensure no default credentials are in use.
The article also lists indicators of compromise such as POST requests to /api/jolokia/ containing addNetworkConnector, outbound HTTP requests to unexpected hosts, and unexpected child processes from the ActiveMQ Java process. For context, the discovery was described as taking Claude 10 minutes to connect the path end to end, with Sunkavally urging appsec engineers to use such tools in their work.