CVE-2026-34197 is a newly disclosed code injection flaw in the Jolokia API of Apache ActiveMQ Classic, undetected for 13 years and discovered via static code analysis; on versions 6.0.0 through 6.1.1, it chains with CVE-2024-32114 (missing authentication) to create a fully unauthenticated RCE path. Apache ActiveMQ carries two prior CISA KEV entries (CVE-2023-46604, CVSS 10.0, exploited by ransomware and nation-state actors; CVE-2016-3088), establishing a confirmed pattern of active exploitation against this product family. CVE-2026-34197 is not yet on the CISA KEV catalog. Immediate actions: patch Classic to 5.19.4+ (5.x line) or 6.2.4+ (6.x line), block the Jolokia endpoint at the perimeter if patching is delayed, and monitor for HTTP POST requests targeting /api/jolokia on broker hosts.