Vulnerability-Lookup

CNVD-2026-17369

Vulnerability from cnvd - Published: 2026-04-10

Title

Apache ActiveMQ Broker Jolokia MBeans远程代码执行漏洞

Description

Apache ActiveMQ Broker是一款开源的消息代理和集成模式服务器。 Apache ActiveMQ Broker存在安全漏洞。该漏洞源于Jolokia JMX-HTTP桥接器默认策略允许对MBeans执行exec操作，攻击者可利用该漏洞通过精心构造的URI触发远程Spring XML加载，从而在代理JVM上执行任意代码。

Severity

高

Patch Name

Apache ActiveMQ Broker Jolokia MBeans远程代码执行漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://activemq.apache.org/security-advisories.data/CVE-2026-34197-announcement.txt

Reference

https://nvd.nist.gov/vuln/detail/CVE-2026-34197

Impacted products

Name
['Apache ActiveMQ <5.19.4', 'Apache ActiveMQ >=6.0.0，<6.2.3']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2026-34197",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2026-34197"
    }
  },
  "description": "Apache ActiveMQ Broker\u662f\u4e00\u6b3e\u5f00\u6e90\u7684\u6d88\u606f\u4ee3\u7406\u548c\u96c6\u6210\u6a21\u5f0f\u670d\u52a1\u5668\u3002\n\nApache ActiveMQ Broker\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8eJolokia JMX-HTTP\u6865\u63a5\u5668\u9ed8\u8ba4\u7b56\u7565\u5141\u8bb8\u5bf9MBeans\u6267\u884cexec\u64cd\u4f5c\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u7cbe\u5fc3\u6784\u9020\u7684URI\u89e6\u53d1\u8fdc\u7a0bSpring XML\u52a0\u8f7d\uff0c\u4ece\u800c\u5728\u4ee3\u7406JVM\u4e0a\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://activemq.apache.org/security-advisories.data/CVE-2026-34197-announcement.txt",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2026-17369",
  "openTime": "2026-04-10",
  "patchDescription": "Apache ActiveMQ Broker\u662f\u4e00\u6b3e\u5f00\u6e90\u7684\u6d88\u606f\u4ee3\u7406\u548c\u96c6\u6210\u6a21\u5f0f\u670d\u52a1\u5668\u3002\r\n\r\nApache ActiveMQ Broker\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8eJolokia JMX-HTTP\u6865\u63a5\u5668\u9ed8\u8ba4\u7b56\u7565\u5141\u8bb8\u5bf9MBeans\u6267\u884cexec\u64cd\u4f5c\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u7cbe\u5fc3\u6784\u9020\u7684URI\u89e6\u53d1\u8fdc\u7a0bSpring XML\u52a0\u8f7d\uff0c\u4ece\u800c\u5728\u4ee3\u7406JVM\u4e0a\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache ActiveMQ Broker Jolokia MBeans\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Apache ActiveMQ \u003c5.19.4",
      "Apache ActiveMQ \u003e=6.0.0\uff0c\u003c6.2.3"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2026-34197",
  "serverity": "\u9ad8",
  "submitTime": "2026-04-08",
  "title": "Apache ActiveMQ Broker Jolokia MBeans\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e"
}

CVE-2026-34197 (GCVE-0-2026-34197)

Vulnerability from cvelistv5 – Published: 2026-04-07 07:50 – Updated: 2026-04-17 03:55

Title

Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Authenticated users could perform RCE via Jolokia MBeans

Summary

Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ All: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.3. Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue

Severity ?

No CVSS data available.

CWE

CWE-20 - Improper Input Validation
CWE-94 - Improper Control of Generation of Code ('Code Injection')

Assigner

apache

References

URL

Tags

https://activemq.apache.org/security-advisories.d…

vendor-advisory

Impacted products

Vendor

Product

Version

Apache Software Foundation

Apache ActiveMQ Broker

Affected: 0 , < 5.19.4 (semver)
Affected: 6.0.0 , < 6.2.3 (semver)

	Apache Software Foundation	Apache ActiveMQ All	Affected: 0 , < 5.19.4 (semver) Affected: 6.0.0 , < 6.2.3 (semver)
	Apache Software Foundation	Apache ActiveMQ	Affected: 0 , < 5.19.4 (semver) Affected: 6.0.0 , < 6.2.3 (semver)

Credits

Naveen Sunkavally (Horizon3.ai)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-04-07T08:29:14.653Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/04/06/3"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-34197",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-07T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-17T03:55:12.349Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-34197"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "org.apache.activemq:activemq-broker",
          "product": "Apache ActiveMQ Broker",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "5.19.4",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "6.2.3",
              "status": "affected",
              "version": "6.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "org.apache.activemq:activemq-all",
          "product": "Apache ActiveMQ All",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "5.19.4",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "6.2.3",
              "status": "affected",
              "version": "6.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "org.apache.activemq:apache-activemq",
          "product": "Apache ActiveMQ",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "5.19.4",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "6.2.3",
              "status": "affected",
              "version": "6.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Naveen Sunkavally (Horizon3.ai)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper Input Validation, Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ.\u003cbr\u003e\u003cbr\u003eApache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including\u003cbr\u003eBrokerService.addNetworkConnector(String) and BrokerService.addConnector(String).\u003cbr\u003e\u003cbr\u003eAn authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport\u0027s brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext.\u003cbr\u003eBecause Spring\u0027s ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker\u0027s JVM through bean factory methods such as Runtime.exec().\u003cbr\u003e\u003cbr\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThis issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ All: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.3.\u003c/span\u003e\n\n\u003cbr\u003e\u003cbr\u003eUsers are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue\u003cbr\u003e\u003cbr\u003e"
            }
          ],
          "value": "Improper Input Validation, Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ.\n\nApache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including\nBrokerService.addNetworkConnector(String) and BrokerService.addConnector(String).\n\nAn authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport\u0027s brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext.\nBecause Spring\u0027s ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker\u0027s JVM through bean factory methods such as Runtime.exec().\n\n\n\nThis issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ All: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.3.\n\n\n\nUsers are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue"
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "important"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20 Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T15:39:00.575Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://activemq.apache.org/security-advisories.data/CVE-2026-34197-announcement.txt"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Authenticated users could perform RCE via Jolokia MBeans",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-34197",
    "datePublished": "2026-04-07T07:50:10.958Z",
    "dateReserved": "2026-03-26T14:51:21.456Z",
    "dateUpdated": "2026-04-17T03:55:12.349Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2026-17369

CVE-2026-34197 (GCVE-0-2026-34197)

Tags

Sightings

Nomenclature