Security researchers discovered a remote code execution (RCE) vulnerability in Apache ActiveMQ Classic that has gone undetected for 13 years and could be exploited to execute arbitrary commands. The flaw was uncovered using the Claude AI assistant, which identified an exploit path by analyzing how independently developed components interact. Tracked as CVE-2026-34197, the security issue received a high severity score of 8.8 and affects versions of Apache ActiveMQ/Broker before 5.19.4, and all versions from 6.0.0 up to 6.2.3. This is also the reason why it was missed for more than a decade. Apache ActiveMQ is an open-source message broker written in Java that handles asynchronous communication via message queues or topics. Although ActiveMQ has released a newer ‘Artemis’ branch with better performance, the ‘Classic’ edition impacted by CVE-2026-34197 is widely deployed in enterprise, web backends, government, and company systems built on Java. Horizon3 researcher Naveen Sunkavally found the issue 'with nothing more than a couple of basic prompts' in Claude. 'This was 80% Claude with 20% gift-wrapping by a human,' he said. Sunkavally notes that Claude pointed to the issue after examining multiple individual components (Jolokia, JMX, network connectors, and VM transports). 'Each feature in isolation does what it’s supposed to, but they were dangerous together. This is exactly where Claude shone - efficiently stitching together this path end to end with a clear head free of assumptions.' The researcher reported the vulnerability to Apache maintainers on March 22, and the developer addressed it on March 30 in ActiveMQ Classic versions 6.2.3 and 5.19.4. A report from Horizon3 explains that the flaw stems from ActiveMQ’s Jolokia management API exposing a broker function (addNetworkConnector) that can be abused to load external configurations. By sending a specially crafted request, an attacker can force the broker to fetch a remote Spring XML file and execute arbitrary system commands during its initialization. The issue requires authentication via Jolokia, but becomes unauthenticated on versions 6.0.0 through 6.1.1 due to a separate bug, CVE-2024-32114, which exposes the API without access control. Unauthenticated RCE on specific ActiveMQ versions.
| Vendor | Product | Versions |
|---|---|---|
| apache software foundation | apache activemq broker | 0, 6.0.0, 0, 6.0.0, 0, 6.0.0 |
Updated severity from NONE to HIGH and marked the vulnerability as actively exploited.
Updated description with new technical details, changed severity to HIGH, confirmed CVSS score of 8.8, added new CWE ID, marked as actively exploited, and included new IoCs and tags.
Updated description with new technical details, changed severity to HIGH, added new CWEs, and included new IoCs and MITRE ATT&CK technique T1203.
Initial creation
