Security researchers discovered a remote code execution (RCE) vulnerability in Apache ActiveMQ Classic that has gone undetected for 13 years and could be exploited to execute arbitrary commands. The flaw was uncovered using the Claude AI assistant, which identified an exploit path by analyzing how independently developed components interact. Tracked as CVE-2026-34197, the security issue received a high severity score of 8.8 and affects versions of Apache ActiveMQ/Broker before 5.19.4, and all versions from 6.0.0 up to 6.2.3 This is also the reason why it was missed for more than a decade. Apache ActiveMQ is an open-source message broker written in Java that handles asynchronous communication via message queues or topics. Although ActiveMQ has released a newer ‘Artemis’ branch with better performance, the ‘Classic’ edition impacted by CVE-2026-34197 is widely deployed in enterprise, web backends, government, and company systems built on Java. Horizon3 researcher Naveen Sunkavally found the issue "with nothing more than a couple of basic prompts" in Claude. "This was 80% Claude with 20% gift-wrapping by a human," he said. Sunkavally notes that Claude pointed to the issue after examining multiple individual components (Jolokia, JMX, network connectors, and VM transports).