CISA places critical ActiveMQ Jolokia RCE (CVE-2026-34197) on KEV, forcing expedited remediation

CISA added Apache ActiveMQ vulnerability CVE-2026-34197 to its Known Exploited Vulnerabilities catalog on April 16, saying the bug is being actively exploited. (cisa.gov) ActiveMQ is message-broker software: it sits between applications and moves data from one system to another. Jolokia is the web console’s management bridge, exposing Java management functions over HTTP at `/api/jolokia/`. (nvd.nist.gov) (activemq.apache.org) In this case, Apache and the National Vulnerability Database say an authenticated attacker can call exposed ActiveMQ management functions and pass a crafted discovery address. That chain can make the broker load a remote Spring XML file before validation finishes, ending in arbitrary code execution on the broker’s Java virtual machine. (nvd.nist.gov) (activemq.apache.org) Apache lists the affected versions as ActiveMQ Broker and ActiveMQ packages before 5.19.4, and 6.0.0 through 6.2.2. Its advisory says the fix is in versions 5.19.4 and 6.2.3. (activemq.apache.org) That matters because CISA’s catalog is not just a watchlist. Under Binding Operational Directive 22-01, federal civilian agencies are required to remediate KEV-listed vulnerabilities by CISA’s due date, and CISA says all organizations should prioritize the same bugs because they are already being used in attacks. (cisa.gov 1) (cisa.gov 2) Shadowserver updated its public ActiveMQ scanning documentation on April 20 to note that CVE-2026-34197 is “known exploited in the wild and on CISA KEV.” The nonprofit says it tags exposed ActiveMQ services as `cve-2026-34197` based on version checks and tells recipients to investigate for compromise and patch. (shadowserver.org) The flaw is part of a longer ActiveMQ security pattern around management surfaces and deserialization-style code execution. Apache’s security page now lists CVE-2026-34197 alongside older ActiveMQ remote-code-execution issues, including CVE-2023-46604 and CVE-2022-41678. (activemq.apache.org) Apache has also published newer 2026 advisories that show the cleanup is still evolving. One later issue, CVE-2026-40466, is described by Apache as a possible bypass of CVE-2026-34197, and another, CVE-2026-41044, affects versions before 5.19.6 and 6.2.5 through a different Jolokia-exposed management path. (activemq.apache.org 1) (activemq.apache.org 2) For defenders, the immediate question is whether the web console and Jolokia endpoint are reachable and whether any exposed broker is still on a vulnerable branch. CISA’s move means this is no longer a theoretical bug report; it is an exploited path into a production message broker. (cisa.gov) (shadowserver.org)