In the latest demonstration of how AI assistants can help with bug hunting, Horizon3.ai researcher Naveen Sunkavally used Claude to unearth CVE-2026-34197, a remote code execution vulnerability in Apache ActiveMQ that’s been introduced in the codebase 13 years ago.
The vulnerability was patched in late March 2026 and there’s currently no indication that it is being actively exploited by attackers.
Neveretheless, with ActiveMQ vulnerabilities having been previously leveraged for ransomware and malware attacks, organizations should update their installations and look for potential indicators of compromise.
About CVE-2026-34197
CVE-2026-34197 is a improper input validation and code injection vulnerability in the popular Apache ActiveMQ open-source message broker for asynchronous communication.
“ActiveMQ comes in two flavors: ActiveMQ Classic, the original broker, and ActiveMQ Artemis, a newer implementation. This vulnerability affects Classic only,” Sunkavally noted.
“In hindsight, the vulnerability is obvious, but you can see why it was missed over the years. It involved multiple components developed independently over time: Jolokia, JMX, network connectors, and VM transports. Each feature in isolation does what it’s supposed to, but they were dangerous together. This is exactly where Claude shone – efficiently stitching together this path end to end with a clear head free of assumptions.”
Sunkavally also noted that while the vulnerability normally requires credentials, default username and password combinations (e.g., admin:admin) are widely used across many environments.
“On some versions (6.0.0–6.1.1), no credentials are required at all due to another vulnerability, CVE-2024-32114, which inadvertently exposes the Jolokia API without authentication. In those versions, CVE-2026-34197 is effectively an unauthenticated RCE,” he explained.
Mitigation and investigation
CVE-2026-34197 has been fixed in ActiveMQ versions 6.2.3 and 5.19.4, and organizations using ActiveMQ should upgrade to one of them as soon as possible, especially now that technical details are public.
Sunkavally also advised organizations to check their ActiveMQ broker logs for possible inficators of compromise:
- Network connector activity referencing vm:// URIs with brokerConfig=xbean:http.
- POST requests to /api/jolokia/ containing addNetworkConnector in the request body
- Outbound HTTP requests from the ActiveMQ broker process to unexpected hosts, and
- Unexpected child processes spawned by the ActiveMQ Java process
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
