Wed, 08 Apr 2026
← BackA 13-year-old remote code execution vulnerability in Apache ActiveMQ Classic can be chained to bypass authentication and execute OS commands.
A remote code execution (RCE) vulnerability that lurked in Apache ActiveMQ Classic for 13 years could be chained with an older flaw to bypass authentication, Horizon3.ai reports. An open source messaging and Integration Patterns server, Apache ActiveMQ acts as a middleware broker that handles message queues and is widely used across numerous industries. ActiveMQ Classic is the original version of the broker. Tracked as CVE-2026-34197, the newly identified bug allows attackers to invoke management operations through the Jolokia API and entice the broker to retrieve a remote configuration file and execute OS commands.
According to Horizon3.ai, the security defect is a bypass for CVE-2022-41678, a bug that allows attackers to write webshells to disk by invoking specific JDK MBeans. The fix, the cybersecurity firm explains, added a flag allowing for all operations on every ActiveMQ MBeans to be callable through Jolokia. The code execution issue was identified in an operation that sets up broker-to-broker bridges at runtime. The bug’s exploitation, however, also requires targeting ActiveMQ’s VM transport feature, which was designed for embedding a broker inside an application.
This results in the client and broker communicating directly within the same JVM.