The U.S. Cybersecurity and Infrastructure Security Agency has added a high-severity code injection vulnerability in Apache ActiveMQ Classic to its catalog following reports of active exploitation in the wild.

Key Points

• The vulnerability, tracked as CVE-2026-34197, carries a CVSS score of 8.8 and allows attackers to execute arbitrary code via the Jolokia API.
• Federal Civilian Executive Branch agencies must apply necessary security patches by the April 30, 2026, deadline set by CISA.
• Impacted software includes Apache ActiveMQ Broker and ActiveMQ versions prior to 5.19.4 and 6.2.3.
• Exploitation is facilitated by default credentials or, in specific versions, by the unauthenticated exposure of the Jolokia API.
• Fortinet FortiGuard Labs reported a surge in exploitation attempts peaking on April 14, 2026.

Why it Matters

This flaw poses a significant risk to enterprise data pipelines and messaging systems that rely on Apache ActiveMQ. Because attackers are rapidly weaponizing these vulnerabilities, organizations must immediately audit their deployments to restrict access to management endpoints and apply the latest security updates.