13-Year-Old Apache ActiveMQ RCE Flaw Discovered by AI Assistant
A critical remote code execution (RCE) vulnerability in Apache ActiveMQ Classic, tracked as CVE-2026-34197, has been uncovered after remaining undetected for 13 years. The flaw allows attackers to execute arbitrary commands by forcing the message broker to download and run a malicious remote configuration file.
The exploit targets Jolokia, a REST API interface in ActiveMQ’s web-based management console. While developers restricted Jolokia to read-only operations in 2023, they retained full permissions for ActiveMQ’s management beans (MBeans), creating a security gap. Attackers can abuse the addNetworkConnector operation by supplying a crafted vm:// URI, which fetches a remote Spring XML file and executes it, granting full system control.
Under normal conditions, exploitation requires administrator credentials (e.g., default admin:admin). However, in ActiveMQ versions 6.0.0 through 6.1.1, a separate flaw (CVE-2024-32114) removes authentication requirements, enabling unauthenticated RCE.
Security researcher Naveen Sunkavally discovered the vulnerability using Claude AI, which analyzed the codebase in 10 minutes a task that typically takes human researchers weeks. The AI identified the interaction between Jolokia, JMX, and network connectors, demonstrating the growing role of AI in vulnerability hunting.
ActiveMQ has been a frequent target for ransomware groups and nation-state actors, making this a high-priority patch. Organizations are advised to upgrade to versions 5.19.4 or 6.2.3, which remove the dangerous vm:// transport capability from remote operations. Additional mitigations include changing default credentials, monitoring logs for suspicious vm:// URIs, and watching for unexpected POST requests to /api/jolokia/ containing addNetworkConnector.
Source: https://gbhackers.com/claude-identifies-critical-13-year-old-rce-vulnerability-in-apache-activemq/
The Apache Software Foundation cybersecurity rating report: https://www.rankiteo.com/company/the-apache-software-foundation
"id": "THE1775629469",
"linkid": "the-apache-software-foundation",
"type": "Vulnerability",
"date": "1/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Technology/Software Development',
'name': 'Apache ActiveMQ',
'type': 'Software'}],
'attack_vector': 'Exploitation of Jolokia REST API via crafted `vm://` URI',
'description': 'A critical remote code execution (RCE) vulnerability in '
'Apache ActiveMQ Classic, tracked as CVE-2026-34197, has been '
'uncovered after remaining undetected for 13 years. The flaw '
'allows attackers to execute arbitrary commands by forcing the '
'message broker to download and run a malicious remote '
'configuration file. The exploit targets Jolokia, a REST API '
'interface in ActiveMQ’s web-based management console. '
'Attackers can abuse the `addNetworkConnector` operation by '
'supplying a crafted `vm://` URI, which fetches a remote '
'Spring XML file and executes it, granting full system '
'control. In ActiveMQ versions 6.0.0 through 6.1.1, a separate '
'flaw (CVE-2024-32114) removes authentication requirements, '
'enabling unauthenticated RCE.',
'impact': {'operational_impact': 'Full system control by attackers',
'systems_affected': 'Apache ActiveMQ Classic (versions 5.x and '
'6.x)'},
'lessons_learned': 'AI-assisted vulnerability hunting can significantly '
'accelerate discovery of critical flaws. Default '
'credentials and over-permissive configurations remain a '
'major security risk.',
'post_incident_analysis': {'corrective_actions': 'Remove `vm://` transport '
'capability from remote '
'operations, enforce '
'authentication for Jolokia '
'API, and patch vulnerable '
'versions.',
'root_causes': 'Retention of full permissions for '
'ActiveMQ’s MBeans despite Jolokia '
'read-only restrictions, use of '
'`vm://` URI for remote '
'configuration execution, and '
'unauthenticated access in '
'vulnerable versions '
'(CVE-2024-32114).'},
'recommendations': 'Upgrade to patched versions (5.19.4 or 6.2.3), change '
'default credentials, monitor for suspicious activity, and '
'restrict Jolokia API permissions.',
'references': [{'source': 'Security Research by Naveen Sunkavally'}],
'response': {'containment_measures': 'Upgrade to versions 5.19.4 or 6.2.3, '
'remove `vm://` transport capability '
'from remote operations',
'enhanced_monitoring': 'Monitor logs for suspicious `vm://` URIs '
'and unexpected POST requests',
'remediation_measures': 'Change default credentials, monitor '
'logs for suspicious `vm://` URIs, watch '
'for unexpected POST requests to '
'`/api/jolokia/` containing '
'`addNetworkConnector`'},
'title': '13-Year-Old Apache ActiveMQ RCE Flaw Discovered by AI Assistant',
'type': 'Remote Code Execution (RCE)',
'vulnerability_exploited': ['CVE-2026-34197', 'CVE-2024-32114']}