This vulnerability involves improper input validation and control of code generation in Apache ActiveMQ Broker. An authenticated attacker can add a connector using HTTP Discovery transport via BrokerView.addNetworkConnector or BrokerView.addConnector through Jolokia if the activemq-http module is on the classpath. A malicious HTTP endpoint can return a VM transport through the HTTP URI, bypassing the validation introduced in CVE-2026-34197. The attacker leverages the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Since Spring instantiates all singleton beans before BrokerService validates the configuration, arbitrary code execution occurs on the broker JVM via bean factory methods such as Runtime.exec(). This affects Apache ActiveMQ Broker versions before 5.19.6 and from 6.0.0 before 6.2.5.

Successful exploitation allows an authenticated attacker to execute arbitrary code on the Apache ActiveMQ Broker's JVM, potentially leading to full compromise of the broker service. The vulnerability impacts confidentiality, integrity, and availability, as indicated by the CVSS vector (C:H/I:H/A:H). There are no known exploits in the wild at this time.

A fix is available by upgrading Apache ActiveMQ Broker to version 5.19.6 or 6.2.5, which addresses this vulnerability. Users should apply these updates promptly to remediate the issue. No alternative mitigations or temporary fixes are documented. Patch status is confirmed by the vendor advisory recommending these versions.