The flaw is tracked as CVE-2026-34197 and carries a high severity rating (CVSS 8.8). It affects ActiveMQ Classic versions prior to 5.19.4 and several 6.x releases.
While, by definition, the exploit requires authentication, Sunkavally pointed out that default credentials like “admin:admin” are still widely deployed in real environments. Worse, in certain ActiveMQ 6.x versions, a separate flaw (CVE-2024-32114) can expose the Jolokia API without any authentication.
“In those versions, CVE-2026-34197 is effectively an unauthenticated RCE,” he said.
AI accelerated discovery
ActiveMQ has been here before. The platform has a track record of high-impact vulnerabilities tied to management surfaces and unsafe assumptions around trusted inputs. From older web console flaws to deserialization bugs and protocol-level RCEs, administrative functionalities have consistently become attack vectors.
