## Discovery of the Vulnerability The vulnerability was discovered using the **Claude** AI assistant, which identified a potential exploit path by analyzing the interaction between independently developed components within **Apache ActiveMQ Classic**. This highlights the increasing role of AI in vulnerability research. ## Technical Details of CVE-2026-34197 Tracked as **CVE-2026-34197**, the security issue has been assigned a high severity score of 8.8. It affects **Apache ActiveMQ/Broker** versions prior to 5.19.4, and all versions from 6.0.0 up to 6.2.3. **Apache ActiveMQ** is an open-source message broker written in Java that facilitates asynchronous communication through message queues or topics. While a newer 'Artemis' branch exists, the 'Classic' edition, impacted by **CVE-2026-34197**, is still widely used in enterprise environments, web backends, and government systems built on Java. ## AI's Role in Uncovering the Flaw **Horizon3** researcher Naveen Sunkavally discovered the issue using **Claude** with basic prompts. According to Sunkavally, **Claude** identified the vulnerability by examining multiple individual components, including **Jolokia**, **JMX**, network connectors, and VM transports. "Each feature in isolation does what it’s supposed to, but they were dangerous together. This is exactly where Claude shone - efficiently stitching together this path end to end with a clear head free of assumptions." ## Patch Availability The vulnerability was reported to **Apache** maintainers on March 22, and a patch was released on March 30 in **ActiveMQ Classic** versions 6.2.3 and 5.19.4. ## Exploit Mechanism A report from **Horizon3** explains that the vulnerability stems from **ActiveMQ’s Jolokia** management API exposing a broker function (`addNetworkConnector`) that can be abused to load external configurations. An attacker can send a specially crafted request to force the broker to fetch a remote Spring XML file and execute arbitrary system commands during its initialization. The issue requires authentication via **Jolokia**, but becomes unauthenticated on versions 6.0.0 through 6.1.1 due to a separate bug, **CVE-2024-32114**, which exposes the API without access control.  ## Recommendation **Horizon3** researchers emphasize the risk posed by this flaw, citing previous **ActiveMQ** vulnerabilities exploited in real-world attacks. “We recommend organizations running ActiveMQ treat this as a high priority, as ActiveMQ has been a repeated target for real-world attackers, and methods for exploitation and post-exploitation of ActiveMQ are well-known,” **Horizon3** states. They also noted that **CVE-2016-3088** and **CVE-2023-46604** are on CISA’s KEV list. Although **CVE-2026-34197** isn’t reported as actively exploited, signs of exploitation can be found in **ActiveMQ** broker logs. They recommend looking for suspicious broker connections that use the internal transport protocol VM and the `brokerConfig=xbean:http://` query parameter. Command execution occurs during multiple connection attempts, and a warning message about a configuration problem indicates successful payload execution.