Apache ActiveMQ CVE-2026-34197 Pre-Auth RCE via VM Transport Code Injection

Vulnerability Overview CVE ID: CVE-2026-34197 Description: A "code injection" vulnerability exists in Apache ActiveMQ Broker, allowing unauthenticated attackers to trigger BrokerConfig parameters for the VM transport by constructing a malicious URI, thereby loading a remote Spring XML application context. Since Spring's instantiates all singleton beans before validates the configuration, this leads to arbitrary code execution. Affected Versions Affected Versions: - Apache ActiveMQ Broker: Before 5.19.4, before 6.2.3 in 6.0.0 - Apache ActiveMQ All: Before 5.19.4, before 6.2.3 in 6.0.0 - Apache ActiveMQ Web: Before 5.19.4, before 6.2.3 in 6.0.0 Remediation Recommendation: Upgrade to version 5.19.4 or 6.2.3 to fix this vulnerability. Additional Information CVSS Score: NIST assessment not provided; ADP assessment is 8.8 HIGH References: - Openwall - Apache ActiveMQ - CISA Weakness Enumeration CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') Known Affected Software Configurations Configuration 1: - from 5.19.4 to 6.2.3 - from 5.19.4 to 6.2.3 Change History 8 change records; specific details can be viewed at show changes. Quick Info CVE Dictionary Entry: CVE-2026-34197 Publication Date: April 7, 2026 Last Modified Date: April 16, 2026 Source: Apache Software Foundation

Goal Reached Thanks to every supporter — we hit 100%!

Apache ActiveMQ CVE-2026-34197 Pre-Auth RCE via VM Transport Code Injection