High Known exploited (KEV) CVE-2026-34197

Improper Input Validation in Apache ActiveMQ (CVE-2026-34197): Risk of Code Injection, Remediation Due April 30

Apache ActiveMQ ・Added to KEV Apr 16, 2026 ・Federal remediation due 2026-04-30

A vulnerability stemming from insufficient validation of input has been identified in Apache ActiveMQ, an open-source messaging platform. It may lead to code injection (the insertion of unauthorized commands).

Key facts

CVE IDCVE-2026-34197
CVSS base score8.8 HIGH
CVSS vectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected (vendor / product)Apache ActiveMQ
CWECWE-20, CWE-94
ExploitationListed in CISA KEV (exploitation confirmed)
Remediation due2026-04-30 (U.S. federal civilian agencies, BOD 22-01)

Key points

Affects Apache's open-source message-relay platform ActiveMQ (CVE-2026-34197).
The flaw type is improper input validation, which may lead to code injection (insertion of unauthorized commands).
CISA added it to the KEV (Known Exploited Vulnerabilities) catalog on April 16, 2026.
The remediation deadline for federal agencies is April 30, 2026, with action required under BOD 22-01.
The official NVD severity is CVSS v3.1 8.8 (HIGH).

ActiveMQ is foundational software that relays messages (exchanges of data) between multiple systems and applications. It is widely used as a behind-the-scenes backbone that connects many business processes, such as order handling, notifications, and system integration. CVE-2026-34197 concerns a flaw in which ActiveMQ does not sufficiently validate the input it receives, known as improper input validation.

When input validation is insufficient, software may accept data in unexpected forms, which can lead to code injection, where an attacker slips in unauthorized commands. Because ActiveMQ sits at a relay point connecting many systems, an impact here is notable for its potential to ripple across the multiple connected systems. The official NVD severity rating is CVSS v3.1 8.8 (HIGH).

Open-source foundational components are used in common across many organizations, which tends to make them attractive targets. Under Binding Operational Directive (BOD) 22-01 for federal civilian agencies, CISA calls for applying mitigations per the vendor's (Apache's) instructions, and discontinuing use of the affected product if mitigations cannot be applied. The remediation deadline is April 30, 2026.

Why it matters

Because ActiveMQ is widely used as a relay backbone connecting multiple business systems, an impact can ripple across connected systems. With a high severity of CVSS 8.8 (HIGH) and a CISA remediation deadline of April 30, 2026, its role as a foundational component makes it a high-priority item to address.

FAQ

What is ActiveMQ?

It is open-source foundational software that relays messages (exchanges of data) between systems and applications, serving to connect multiple processes behind the scenes.

What is code injection?

It refers to a technique in which unauthorized commands (code) are sent in from the outside and executed on a server. This vulnerability is reported to potentially lead to it through improper input validation.

What action is required?

Apply mitigations per the vendor's (Apache's) instructions, follow BOD 22-01, and discontinue use of the affected product if mitigations cannot be applied. The remediation deadline is April 30, 2026.

Sources (primary)

This article is an independent organization based on the U.S. official data below. Always verify the exact, latest details and applicability with the official and vendor sources.

CISA KEV Catalog (known exploited list)
NVD (CVE details / CVSS)
Vendor / reference advisory
This product uses data from the NVD API but is not endorsed or certified by the NVD. KEV data is CC0 (public domain).

#CISA KEV#Apache ActiveMQ#Improper Input Validation#Code Injection#Message Broker#CVE-2026-34197#Open Source

← Back to vulnerability alerts