The flaw is tracked as CVE-2026-34197 and carries a excessive severity score (CVSS 8.8). It impacts ActiveMQ Traditional variations prior to five.19.4 and several other 6.x releases.
Whereas, by definition, the exploit requires authentication, Sunkavally identified that default credentials like “admin:admin” are nonetheless extensively deployed in actual environments. Worse, in sure ActiveMQ 6.x variations, a separate flaw (CVE-2024-32114) can expose the Jolokia API with none authentication.
“In these variations, CVE-2026-34197 is successfully an unauthenticated RCE,” he mentioned.
AI accelerated discovery
ActiveMQ has been right here earlier than. The platform has a monitor file of high-impact vulnerabilities tied to administration surfaces and unsafe assumptions round trusted inputs. From older internet console flaws to deserialization bugs and protocol-level RCEs, administrative functionalities have persistently change into assault vectors.
