ActiveMQ added to CISA KEV

Apache ActiveMQ users just got a hard deadline: CISA added CVE-2026-34197 to its Known Exploited Vulnerabilities catalog on April 16. (cisa.gov) CISA’s catalog is the federal government’s list of bugs already being used in real attacks, and this entry gives federal civilian agencies until April 30, 2026 to fix or mitigate it under Binding Operational Directive 22-01. (cisa.gov 1) (cisa.gov 2) The flaw sits in ActiveMQ Classic, Apache’s message broker software, and affects versions before 5.19.4 and versions 6.0.0 through 6.2.2. Apache says 5.19.4 and 6.2.3 contain the fix. (activemq.apache.org) (cve.org) ActiveMQ is the software that moves messages between applications, like a mailroom passing envelopes between systems. In this case, the weak point is the Jolokia management interface, an HTTP endpoint that lets administrators send management commands to the broker. (activemq.apache.org) Apache says an authenticated attacker can use that management interface to make the broker load a remote Spring XML file, and the Java process can run attacker-chosen code before the broker finishes checking the configuration. NIST’s National Vulnerability Database shows a CISA-assigned CVSS 3.1 score of 8.8. (activemq.apache.org) (nvd.nist.gov) The bug was published on April 7, 2026, and Apache credited Naveen Sunkavally of Horizon3.ai with finding it. Nine days later, CISA moved it into the KEV list, which means the agency has evidence of exploitation in the wild even though it has not published attack details. (cve.org) (cisa.gov) That timeline is what changes the story for defenders. A newly disclosed bug can wait in a patch queue; a KEV-listed bug usually jumps to the front because CISA treats it as an active intrusion risk, not a theoretical one. (cisa.gov 1) (cisa.gov 2) Apache’s own advisory also places this issue in a product line with a long security history around management and deserialization features, including ActiveMQ Classic flaws disclosed in 2024, 2023 and 2022. That history matters because the vulnerable path here also runs through Jolokia, the same management surface administrators often expose for convenience. (activemq.apache.org) For organizations that run ActiveMQ Classic, the immediate choices are narrow: upgrade to 5.19.4 or 6.2.3, restrict access to the web console and Jolokia endpoint, and treat internet-exposed management interfaces as suspect until they are checked. CISA’s April 30 date gives federal agencies 13 days from today, April 17, 2026. (activemq.apache.org) (cisa.gov)