{"uuid": "8ebd5ace-feca-4899-be14-df89f1ce2f55", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-34197", "type": "seen", "source": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/apache_activemq_jolokia_rce.rb", "content": "{\"aliases\": [], \"arch\": \"cmd\", \"author\": [\"dinosn\", \"h00die\"], \"autofilter_ports\": [80, 8080, 443, 8000, 8888, 8880, 8008, 3000, 8443], \"autofilter_services\": [\"http\", \"https\"], \"check\": true, \"default_credential\": false, \"description\": \"Apache ActiveMQ exposes a Jolokia JMX-over-HTTP API at /api/jolokia/.\\n An authenticated attacker can invoke the addNetworkConnector() MBean\\n operation with a crafted URI that causes the broker to fetch a remote\\n Spring XML configuration over HTTP. The Spring XML instantiates a\\n ProcessBuilder bean that executes attacker-supplied OS commands.\\n\\n Default credentials (admin:admin) are accepted by many installations.\\n\\n Verified on docker image\", \"disclosure_date\": \"2026-04-29\", \"fullname\": \"exploit/multi/http/apache_activemq_jolokia_rce\", \"is_install_path\": true, \"mod_time\": \"2026-05-28 12:56:10 +0000\", \"name\": \"Apache ActiveMQ RCE via Jolokia addNetworkConnector\", \"needs_cleanup\": null, \"notes\": {\"Reliability\": [\"repeatable-session\"], \"SideEffects\": [\"ioc-in-logs\"], \"Stability\": [\"crash-safe\"]}, \"path\": \"/modules/exploits/multi/http/apache_activemq_jolokia_rce.rb\", \"platform\": \"Linux,Unix,Windows\", \"post_auth\": true, \"rank\": 600, \"ref_name\": \"multi/http/apache_activemq_jolokia_rce\", \"references\": [\"CVE-2026-34197\", \"URL-https://github.com/dinosn/CVE-2026-34197\", \"URL-https://horizon3.ai/attack-research/disclosures/cve-2026-34197-activemq-rce-jolokia/\"], \"rport\": 8161, \"session_types\": false, \"targets\": [\"Windows\", \"Linux\", \"Unix\"], \"type\": \"exploit\"}", "creation_timestamp": "2026-05-29T08:03:47.000000Z"}