Summary
Apache ActiveMQ CVE-2026-34197 is a Jolokia/JMX attack path in which an authenticated attacker can invoke broker MBean operations with a crafted discovery URI. The URI can cause Spring to load a remote XML application context before broker configuration validation, enabling code execution inside the broker JVM.
Apache lists affected versions as ActiveMQ before 5.19.4 and 6.0.0 before 6.2.3, and recommends upgrading to 5.19.4 or 6.2.3. NVD records CISA KEV inclusion on April 16, 2026.
Attribution
This entry is direct under Bugflation’s methodology because the primary research write-up from Horizon3.ai names Claude in the discovery story. The write-up says Claude was used for the first pass over the source code and for validation setup, while the human researcher wrapped and reported the finding.
Apache’s advisory does not name Claude, but it does credit Naveen Sunkavally of Horizon3.ai as finder. That gives a clean evidence chain: Horizon3.ai supplies the AI-assisted discovery attribution, while Apache and NVD corroborate the accepted vulnerability and fix.
Why it matters
This is a high-signal, non-lab example of a mainstream LLM helping a researcher compose a cross-component exploit path. The dangerous behavior required connecting Jolokia, JMX, ActiveMQ network connectors, VM transport behavior, and Spring context loading.
It also has real-world urgency beyond the proof of concept: NVD records that CISA added the CVE to the Known Exploited Vulnerabilities catalog on April 16, 2026.
References
- Horizon3.ai: CVE-2026-34197 ActiveMQ RCE via Jolokia API
- Apache ActiveMQ advisory: CVE-2026-34197
- NVD: CVE-2026-34197
- CISA KEV filtered entry
Catalogued in the Bugflation public ledger. Disagree with the attribution or severity label? Email the desk.