Detections
Analytics

Apache ActiveMQ < 5.19.4 / 6.x < 6.2.3 Improper Input Validation Code Injection

high Nessus Plugin ID 305955

Language:

Synopsis

The remote host is running a web application that is affected by a code injection vulnerability.

Description

The version of Apache ActiveMQ running on the remote host is prior to 5.19.4 or 6.x prior to 6.2.3. It is, therefore, affected by an improper input validation and code injection vulnerability:

 - ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ with a default access policy that permits exec operations on ActiveMQ MBeans. An authenticated attacker can exploit specific broker operations with a crafted discovery URI that manipulates the VM transport's brokerConfig parameter to load a remote Spring XML context. Since Spring instantiates singleton beans before validation occurs, arbitrary code execution can occur on the broker's JVM through bean factory methods such as Runtime.exec(). (CVE-2026-34197)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Apache ActiveMQ version 5.19.4, 6.2.3, or later.

See Also

http://www.nessus.org/u?65498bab

Plugin Details

Severity: High

ID: 305955

File Name: activemq_CVE-2026-34197.nasl

Version: 1.3

Type: Combined

Agent: unix

Family: CGI abuses

Published: 4/10/2026

Updated: 4/16/2026

Configuration: Enable thorough checks (optional)

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Nessus

Enable CGI Scanning: true

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2026-34197

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 8.2

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:apache:activemq

Required KB Items: installed_sw/Apache ActiveMQ

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 4/6/2026

Vulnerability Publication Date: 4/6/2026

CISA Known Exploited Vulnerability Due Dates: 4/30/2026

Reference Information

CVE: CVE-2026-34197

IAVB: 2026-B-0088