GoKawiilSecurity researchers discovered a remote code execution (RCE) vulnerability in Apache ActiveMQ Classic that has gone undetected for 13 years and could be exploited to execute arbitrary commands.
The flaw was uncovered using the Claude AI assistant, which identified an exploit path by analyzing how independently developed components interact.
Tracked as CVE-2026-34197, the security issue received a high severity score of 8.8 and affects versions of Apache ActiveMQ/Broker before 5.19.4, and all versions from 6.0.0 up to 6.2.3
This is also the reason why it was missed for more than a decade.
Apache ActiveMQ is an open-source message broker written in Java that handles asynchronous communication via message queues or topics.
Although ActiveMQ has released a newer ‘Artemis’ branch with better performance, the ‘Classic’ edition impacted by CVE-2026-34197 is widely deployed in enterprise, web backends, government, and company systems built on Java.
Horizon3 researcher Naveen Sunkavally found the issue "with nothing more than a couple of basic prompts" in Claude. "This was 80% Claude with 20% gift-wrapping by a human," he said.
Sunkavally notes that Claude pointed to the issue after examining multiple individual components (Jolokia, JMX, network connectors, and VM transports).
"Each feature in isolation does what it’s supposed to, but they were dangerous together. This is exactly where Claude shone - efficiently stitching together this path end to end with a clear head free of assumptions."
The researcher reported the vulnerability to Apache maintainers on March 22, and the developer addressed it on March 30 in ActiveMQ Classic versions 6.2.3 and 5.19.4.
... continue reading