On 17 April 2026, a critical vulnerability was discovered related to the Apache ActiveMQ software. This vulnerability involves improper input validation and code injection within the Jolokia JMX-HTTP bridge. An authenticated attacker can exploit this flaw by invoking management operations through the Jolokia API to trick the broker into fetching a remote configuration file, leading to arbitrary code execution (RCE) on the broker's Java Virtual Machine (JVM). Affected versions of Apache ActiveMQ Classic include all versions prior to 5.19.4 and versions 6.0.0 through 6.2.2.
Appian has investigated this vulnerability and its services. While affected versions of Apache ActiveMQ are present within the Appian platform, we have confirmed that the Jolokia JMX-HTTP bridge and ActiveMQ web console are not used. Consequently, Appian services are not impacted by this vulnerability. As a proactive security measure, our engineering teams are currently upgrading these packages to the latest secure versions. We will continue to monitor the situation and provide updates as needed.
The following CVE was released with additional information on the scope of the vulnerability:
CVE-2026-34197 - (Apache ActiveMQ Improper Input Validation / Remote Code Execution)
This article applies to all supported versions of Appian.
Last reviewed: April 29, 2026