Skip to main content
A Singapore Government Agency Website How to identify
Official website links end with .gov.sg
Government agencies communicate via .gov.sg websites (e.g. go.gov.sg/open). Trusted websites
Secure websites use HTTPS
Look for a lock () or https:// as an added precaution. Share sensitive information only on official, secure websites.

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Call the 24/7 ScamShield Helpline at 1799 if you are unsure if something is a scam.

Cyber Security Agency of Singapore
Alerts

Critical Vulnerability in Apache ActiveMQ Classic

13 April 2026

Apache has released security updates to address a critical vulnerability in Apache ActiveMQ Classic. Users and administrators of affected products are advised to update to the latest versions immediately.

Background

Apache has released security updates to address a code injection vulnerability (CVE-2026-34197) affecting Apache ActiveMQ Classic.

Impact

Successful exploitation of this vulnerability could allow an authenticated attacker to perform arbitrary code execution on the affected system. On versions 6.0.0 through 6.1.1, when chained with CVE-2024-32114, the vulnerability can be exploited by an unauthenticated attacker, potentially resulting in full compromise of the affected system.

Affected Products

This vulnerability affects the following Apache ActiveMQ Classic versions:

- Apache ActiveMQ versions prior to 5.19.4

- Apache ActiveMQ versions 6.0.0 through 6.2.2

- Apache ActiveMQ Broker versions prior to 5.19.4

- Apache ActiveMQ Broker versions 6.0.0 through 6.2.2

Mitigation

Users and administrators of affected products are advised to update to the latest versions immediately.

References

https://activemq.apache.org/security-advisories.data/CVE-2026-34197-announcement.txt

https://nvd.nist.gov/vuln/detail/CVE-2026-34197

https://horizon3.ai/attack-research/disclosures/cve-2026-34197-activemq-rce-jolokia/

Back to top