Security researchers have discovered a remote code execution vulnerability in Apache ActiveMQ Classic that went undetected for 13 years. The flaw, tracked as CVE-2026-34197, can be exploited through the Jolokia API to force the messaging broker to download and execute malicious configuration files, and in some deployments it can be chained with another vulnerability to bypass authentication entirely. Apache has patched the issue in ActiveMQ Classic versions 5.19.4 and 6.2.3, and users are urged to update immediately.