CISA adds ActiveMQ CVE-2026-34197 to KEV

CISA added Apache ActiveMQ vulnerability CVE-2026-34197 to its Known Exploited Vulnerabilities catalog on April 16, 2026, saying the entry was based on evidence of active exploitation. Apache and security researchers have described the flaw as a code-execution issue tied to the Jolokia JMX-HTTP bridge exposed through the ActiveMQ Classic web console. (cisa.gov) Apache said fixed versions were released as 5.19.4 and 6.2.3. CISA said federal civilian agencies must remediate KEV-listed flaws by the published due date under Binding Operational Directive 22-01, and urged other organizations to prioritize the same vulnerabilities in patching programs. (activemq.apache.org 1) (activemq.apache.org 2) ### What exactly did CISA put on the KEV list? CISA’s April 16 alert named CVE-2026-34197 as the newly added entry and said the flaw had met the agency’s threshold for inclusion because there was reliable evidence of active exploitation. CISA says the KEV catalog is the authoritative list of vulnerabilities known to be exploited in the wild and is used by agencies and other defenders to prioritize remediation. CISA’s KEV guidance says a vulnerability must have an assigned CVE, reliable evidence of active exploitation, and a clear remediation action before it is added. The agency also says all organizations, not only federal agencies, should treat KEV entries as immediate remediation priorities. (cisa.gov) ### How does the ActiveMQ flaw work? Apache said CVE-2026-34197 affects ActiveMQ Broker and bundled ActiveMQ packages before version 5.19.4 and versions 6.0.0 before 6.2.3. The project described the issue as improper input validation and code injection in ActiveMQ Classic’s exposure of the Jolokia bridge at `/api/jolokia/` on the web console. (cisa.gov) Apache’s advisory says the default Jolokia access policy permits execution of operations on ActiveMQ MBeans, including methods that add connectors. A crafted discovery URI can cause the broker to load a remote Spring XML application context, and Apache said code execution occurs in the broker’s Java virtual machine before configuration validation completes. (cisa.gov) Horizon3.ai researcher Naveen Sunkavally, who Apache credited with finding the bug, said the issue becomes unauthenticated remote code execution on versions where Jolokia is exposed without authentication, referring to the earlier ActiveMQ issue tracked as CVE-2024-32114. Horizon3.ai said exposed Jolokia endpoints and weak or default console credentials increase risk. (activemq.apache.org) ### Why are researchers focusing on Jolokia exposure? Apache’s own description ties the exploit path to the Jolokia JMX-HTTP bridge and to management operations exposed through ActiveMQ MBeans. That has led researchers to focus on internet-facing ActiveMQ deployments where the web console or Jolokia endpoint is reachable. (activemq.apache.org) Horizon3.ai said organizations should upgrade and restrict exposure of the web console and Jolokia endpoints. The firm also said the exploit chain can let an attacker execute code as the ActiveMQ service user once the management path is reachable. (activemq.apache.org) ### What is CVE-2026-40466, and how is it related? Apache later published CVE-2026-40466 as a separate “important” advisory and described it as a possible bypass of the fix for CVE-2026-34197 through an HTTP discovery second-stage URI. Apache said an authenticated attacker could add a connector through Jolokia if the `activemq-http` module is on the classpath, allowing a malicious HTTP endpoint to return a VM transport that bypasses the earlier validation. (activemq.apache.org) Apache said CVE-2026-40466 affects versions before 5.19.6 and versions 6.0.0 before 6.2.5, and recommended upgrading to 5.19.6 or 6.2.5. The project’s security page now lists CVE-2026-34197, CVE-2026-40466 and another Jolokia-related issue, CVE-2026-41044, among recent ActiveMQ Classic advisories. (horizon3.ai) ### Which versions should defenders be checking now? Apache said defenders should first determine whether they are running versions older than 5.19.4 or 6.2.3 for the original KEV-listed flaw, and then check whether they also need the newer fixes in 5.19.6 or 6.2.5 for the bypass issue. The affected package names in Apache’s advisories include `activemq-broker`, `activemq-all`, and `apache-activemq`, depending on branch and release line. (activemq.apache.org) CISA’s guidance says KEV entries should be folded into vulnerability-management workflows immediately, while Apache’s advisories point administrators to the fixed releases as the remediation path. For teams reviewing exposure on May 18, 2026, the concrete next step is to inventory internet-facing ActiveMQ Classic instances, verify whether Jolokia or the web console is reachable, and compare deployed versions against Apache’s fixed releases 5.19.4, 5.19.6, 6.2.3 and 6.2.5. (activemq.apache.org) (activemq.apache.org)