The flaw is tracked as CVE-2026-34197 and carries a excessive severity ranking (CVSS 8.8). It impacts ActiveMQ Traditional variations prior to five.19.4 and several other 6.x releases.
Whereas, by definition, the exploit requires authentication, Sunkavally identified that default credentials like “admin:admin” are nonetheless broadly deployed in actual environments. Worse, in sure ActiveMQ 6.x variations, a separate flaw (CVE-2024-32114) can expose the Jolokia API with none authentication.
“In these variations, CVE-2026-34197 is successfully an unauthenticated RCE,” he stated.
AI accelerated discovery
ActiveMQ has been right here earlier than. The platform has a monitor report of high-impact vulnerabilities tied to administration surfaces and unsafe assumptions round trusted inputs. From older net console flaws to deserialization bugs and protocol-level RCEs, administrative functionalities have persistently develop into assault vectors.
