Apache ActiveMQ Classic is affected by CVE-2026-34197, an RCE vulnerability spanning a 13-year release window that abuses the Jolokia JMX-over-HTTP management endpoint to load attacker-controlled Spring XML configuration files, enabling arbitrary code execution on broker hosts; when chained with CVE-2024-32114 (authentication bypass, affecting versions 6.0.0–6.1.1), the attack path requires no credentials. A proof-of-concept has been published and EPSS sits at the 90th percentile; two prior ActiveMQ vulnerabilities (CVE-2023-46604 and CVE-2016-3088) are listed in the CISA KEV catalog, confirming this product family’s sustained exploitation history and elevating urgency. Organizations should immediately restrict access to the Jolokia endpoint (default port 8161, path /api/jolokia), upgrade to ActiveMQ Classic 5.19.4 or 6.2.4+ depending on the deployed branch, enforce authentication on the Jolokia endpoint post-patch, and hunt for broker process spawning unexpected child processes or outbound connections to unfamiliar hosts.