Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
Apache ActiveMQ allows malicious code execution through web console
Known exploited
CVE-2026-34197
GHSA-rxpj-7qvf-xv32
CVE-2026-34197
Summary
Apache ActiveMQ Classic's web console has a security flaw that lets an attacker inject malicious code and take control of the system. This can happen if an attacker logs in to the console and uses a special trick to execute code on the system. To fix this, update to version 5.19.5 or 6.2.3 of Apache ActiveMQ.
What to do
- Update org.apache.activemq:activemq-broker to version 5.19.5.
- Update org.apache.activemq:activemq-broker to version 6.2.3.
- Update org.apache.activemq:activemq-all to version 5.19.5.
- Update org.apache.activemq:activemq-all to version 6.2.3.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| – | apache | activemq |
< 5.19.4 >= 6.0.0, < 6.2.3 |
| maven | – | org.apache.activemq:activemq-broker |
< 5.19.5 >= 6.0.0, < 6.2.3 Fix: upgrade to 5.19.5
|
| maven | – | org.apache.activemq:activemq-all |
< 5.19.5 >= 6.0.0, < 6.2.3 Fix: upgrade to 5.19.5
|
| – | apache | activemq_broker |
< 5.19.4 >= 6.0.0, < 6.2.3 cpe:2.3:a:apache:activemq_broker:*:*:*:*:*:*:*:* |
Original title
Apache ActiveMQ Improper Input Validation Vulnerability
Original description
Apache ActiveMQ contains an improper input validation vulnerability that allows for code injection.
Vulnerability type
CWE-20
Improper Input Validation
CWE-94
Code Injection
- https://activemq.apache.org/security-advisories.data/CVE-2026-34197-announcement...
- http://www.openwall.com/lists/oss-security/2026/04/06/3
- https://nvd.nist.gov/vuln/detail/CVE-2026-34197
- https://github.com/advisories/GHSA-rxpj-7qvf-xv32
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-...
Published: 16 Apr 2026 · Updated: 17 Apr 2026 · First seen: 7 Apr 2026