At Zia Consulting, keeping your Alfresco environment secure and performant is our top priority. We want to alert you of a recently disclosed high-severity vulnerability in Apache ActiveMQ, a core component used in Alfresco Content Services (ACS) deployments.
This vulnerability, identified as CVE-2026-34197, carries a CVSS score of approximately 8.8, indicating a high risk of exploitation. For context, this score is not far off from the 10 of the infamous Log4j vulnerability.
Understanding the Risk
The vulnerability exists within the Jolokia endpoint exposed by ActiveMQ. This endpoint provides access to JMX (Java Management Extensions), which is typically used for administration and monitoring. If left exposed, an attacker could potentially use this endpoint to achieve Remote Code Execution (RCE) on your server.
Because the details of this vulnerability are now public, we must assume a high risk of exploitation for any environment where this endpoint is accessible to untrusted networks.
Is Your Alfresco Environment Affected?
ACS 6.0 through ACS 25 typically use ActiveMQ 5.x versions below the fixed 5.19.4 level, and ACS 26 environments should also be reviewed to confirm the actual ActiveMQ version in use.
Your Alfresco environment may be affected if it uses Apache ActiveMQ Classic earlier than 5.19.4 or ActiveMQ 6.x earlier than 6.2.3. As of this writing, the safer remediation target is ActiveMQ 5.19.6 or 6.2.5, subject to Hyland support guidance and customer testing (which we discuss later in more detail).
The practical question is not only which ACS version you are running, but whether ActiveMQ is present, enabled, and reachable. The highest-risk scenario is an environment where the ActiveMQ web console or Jolokia endpoint is accessible from untrusted networks.
The next section provides quick checks to help determine whether the vulnerable endpoint may be reachable.
Quick Diagnostic: How to Check Your Exposure
The risk is primarily tied to port 8161, which handles the ActiveMQ web console and the Jolokia interface. Note that this is separate from Port 61616, which Alfresco uses for standard message transport.
You can quickly test if your Jolokia endpoint is reachable by attempting to access the following URLs from outside your trusted network:
- http://<ActiveMQ-host>:8161/api/jolokia/version
- http://<ActiveMQ-host>:8161/api/jolokia/exec
What the results mean:
- The desired results are no connection, timeout, or blocked access from untrusted networks.
- If the first URL returns a JSON object containing version information, your endpoint is accessible.
- If the second URL is reachable (even if it returns a 401/403 response), it indicates potential exposure to the RCE exploit.
- A JSON response without authentication indicates significant exposure.
- Successful access using default credentials should be treated as high risk.
Recommended Immediate Actions
Since Port 8161 is used for administration and monitoring—not for core communication between Alfresco services—restricting external access will not break your Alfresco operations.
We recommend the following steps immediately:
- Internal Validation: Before blocking access internally, confirm whether your team uses any specific monitoring tools that rely on the Jolokia endpoint.
- IP Whitelisting: If you must access the console, restrict access to a specific set of trusted internal IP addresses only.
- Restrict Port 8161: Block access to this port from external or untrusted networks via your firewall, security groups, or Load Balancer (ALB) rules.
Path to Resolution
Hyland has already released updated Docker images (ActiveMQ 5.19.5 and 6.2.4) that fix the problem, but come with caveats. You can find these tags on Docker Hub. For customers using Docker-based deployments, this will likely be the preferred long-term mitigation path. Customers using Ansible will need to override the activemq_version configuration.
Hyland’s Support Guidance
For Enterprise customers, it is crucial to ensure that their environments remain supported.
Hyland has confirmed that using a later minor version of a supported third-party component can remain within a supported stack, provided the major version remains unchanged, and the selected minor version is later than the version listed in the Supported Platforms page. However, these component versions may not have been fully tested by Hyland in every supported Alfresco stack. If an issue is determined to be caused by the updated component version, Hyland may require additional troubleshooting steps or an alternate resolution.
For ACS 6.0 to 25.x, the supported platform lists ActiveMQ 5.15 to 5.18. Hyland confirmed that moving to a later ActiveMQ 5.x version, such as 5.19.x, would still be considered supported. However, those versions have not been fully tested by Hyland. If Hyland determines that a reported issue is caused by a later component version, they may work with the customer to identify an appropriate resolution, which may include downgrading.
How Zia can help
If you are unsure whether your Alfresco environment is affected, Zia can help review your deployment and plan a safe remediation path. If you would like help assessing your exposure or planning remediation, please contact Zia Consulting. If you have concerns about your specific configuration, please reach out to our Support or Sales Team.