A remote code execution vulnerability lurked in Apache ActiveMQ Classic for 13 years, with Horizon3[.]ai noting that it could be chained with an older flaw to bypass authentication. The issue, tracked as CVE-2026-34197, allows attackers to invoke management operations through the Jolokia API and coax the broker into retrieving a remote configuration file to execute OS commands.
According to Horizon3[.]ai, the defect is a bypass for CVE-2022-41678, which could let attackers write webshells to disk by invoking specific JDK MBeans. The fix added a flag so that all operations on every ActiveMQ MBeans can be called through Jolokia, addressing a code execution path that occurs when setting up broker-to-broker bridges at runtime.
Exploitation could also be achieved without authentication on some deployments by abusing CVE-2024-32114, which left the Jolokia endpoint unauthenticated on certain versions. Users are advised that ActiveMQ Classic versions 5.19.4 and 6.2.3 contain the fix, and to update deployments as soon as possible.