Apache ActiveMQ RCE flaws exploited

Apache ActiveMQ users are dealing with two separate exploit paths that now sit in the same urgent bucket: an older OpenWire remote-code-execution bug and newer Jolokia-based management flaws. Apache said CVE-2023-46604 affects ActiveMQ Classic and Java-based OpenWire clients, while CISA said CVE-2026-34197 is under active exploitation and added it to the federal Known Exploited Vulnerabilities catalog on April 16. Apache’s security pages also list CVE-2026-40466 as a follow-on issue tied to the Jolokia fixes. The project says that bug can bypass the CVE-2026-34197 remediation in some cases when the `activemq-http` module is present on the classpath. ### Which ActiveMQ bug is the older one that defenders already know? CVE-2023-46604 was disclosed by Apache on November 3, 2023, as a remote code execution issue in the Java OpenWire protocol marshaller. (activemq.apache.org) Apache said users of ActiveMQ Classic, ActiveMQ Artemis brokers and Java-based OpenWire clients should upgrade. Apache’s advisory lists affected ActiveMQ Classic branches including 5.18.0 before 5.18.3, 5.17.0 before 5.17.6, 5.16.0 before 5.16.7 and versions before 5.15.16. (activemq.apache.org) CISA added that flaw to the KEV catalog on November 2, 2023, saying it had evidence of active exploitation. ### What changed with the Jolokia issues? CVE-2026-34197 is a different attack path. (activemq.apache.org) Apache says ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at `/api/jolokia/` on the web console, and that the default Jolokia access policy permits `exec` operations on ActiveMQ MBeans, including methods that can add connectors. Jolokia describes itself as a JMX-HTTP bridge for remote management operations. (activemq.apache.org) In ActiveMQ Classic, Apache said an authenticated attacker could abuse that management surface with a crafted discovery URI to trigger code execution. ### Why is CVE-2026-40466 being mentioned with CVE-2026-34197? Apache says CVE-2026-40466 is a possible bypass of CVE-2026-34197. In its advisory text, the project says an authenticated attacker may bypass the earlier fix by adding a connector using an HTTP Discovery transport through Jolokia if the `activemq-http` module is on the classpath. (activemq.apache.org) (jolokia.org) The same advisory says a malicious HTTP endpoint can return a VM transport through the HTTP URI, which would bypass the validation added for CVE-2026-34197. That makes the two Jolokia CVEs part of the same patching conversation rather than separate cleanup items. ### What systems are most exposed? Apache’s 2023 advisory says CVE-2023-46604 hits Java-based OpenWire clients and brokers, and public reporting around that flaw has long focused on the OpenWire service rather than only the web console. (activemq.apache.org) Apache did not name port 61616 in the advisory, but that port is commonly associated with ActiveMQ OpenWire deployments and is the surface defenders usually check first when reviewing external exposure. That port reference is an inference based on standard ActiveMQ deployment practice, not a statement from Apache in the cited advisory. The Jolokia issues are narrower. Apache’s advisory ties CVE-2026-34197 and CVE-2026-40466 to the ActiveMQ Classic web console and the `/api/jolokia/` management endpoint, with authenticated access as part of the attack path. ### What should defenders check next? CISA says organizations should use the KEV catalog as an input to vulnerability-management prioritization, and its April 16 alert names CVE-2026-34197 as actively exploited. (activemq.apache.org) Apache’s security advisories page lists the current fixes and follow-on issues for ActiveMQ Classic, including CVE-2026-34197 and CVE-2026-40466. (activemq.apache.org) Apache’s security pages are the next stop for version-specific remediation, while CISA’s KEV catalog remains the federal source for whether a flaw has been seen exploited in the wild. (activemq.apache.org) (cisa.gov)