Anthropic’s Claude dug up a critical remote code execution (RCE) bug that sat quietly inside Apache ActiveMQ Classic for over a decade.
Researchers at Horizon3.ai say that it only took minutes for their team to work out an exploit chain for the bug with the help of AI. The researcher behind the work, Naveen Sunkavally, described the process as “80% Claude with 20% gift-wrapping by a human.”
The bug, now fixed, could allow an attacker to use ActiveMQ’s Jolokia API to make the server load a malicious configuration file from the internet and execute arbitrary system commands. The issue stems from the integration of multiple components developed independently over time. While each worked efficiently in isolation, together they allowed execution of remote code, a context Sunkavally noted was easier for Claude to spot.
“Something that would have probably taken me a week manually took Claude 10 minutes,” the researcher said in a blog post.
Management API flaw allowed full RCE
The attack chain revolves around ActiveMQ’s management plane. ActiveMQ exposes the Jolokia API at “/api/jolokia/”, allowing authenticated users to invoke broker operations over HTTP. In vulnerable versions, attackers can abuse methods like “addNetworkConnector” to pass a crafted URL that allows the broker to load external configuration data.
By embedding a malicious “brokerConfig” parameter, the attacker forces ActiveMQ to fetch and process a remote Spring XML file. When the file loads, it can create and run any Java code, granting the attacker remote execution inside the broker.
The flaw is tracked as CVE-2026-34197 and carries a high severity rating (CVSS 8.8). It affects ActiveMQ Classic versions prior to 5.19.4 and several 6.x releases.
While, by definition, the exploit requires authentication, Sunkavally pointed out that default credentials like “admin:admin” are still widely deployed in real environments. Worse, in certain ActiveMQ 6.x versions, a separate flaw (CVE-2024-32114) can expose the Jolokia API without any authentication.
“In those versions, CVE-2026-34197 is effectively an unauthenticated RCE,” he said.
AI accelerated discovery
ActiveMQ has been here before. The platform has a track record of high-impact vulnerabilities tied to management surfaces and unsafe assumptions around trusted inputs. From older web console flaws to deserialization bugs and protocol-level RCEs, administrative functionalities have consistently become attack vectors.
But none of the previous flaws were found the way CVE-2026-34197 was. The bug sat there for 13 years, with the first rollout of the affected implementation dating back to around 2012, before Claude could map out a multi-step exploit chain.
The discovery is already teasing the much-buzzed successor to Claude’s flaw-catching capabilities, Claude Mythos. A vulnerability scanner and exploit generator so dangerous in the wrong hands that it has been restricted under early preview to a handful of companies, with big names of the AI and cybersecurity community coming together under “Project Glasswing” to encourage its controlled usage.
CVE-2026-34197 has been addressed in newer ActiveMQ Classic releases (6.2.3 and 5.19.4), and users must upgrade to patched versions to be protected.