Jolokia 1.6.0 is vulnerable to CSRF. This holds true for properly configured instances with strict checking for origin and referrer headers. The issue was fixed in version 1.6.1.
Red Hat Security Advisory: https://access.redhat.com/security/cve/cve-2018-10899
In version 1.2.1 Jolokia introduced a
<strict-checking/> option within the Cross-Origin Resource Sharing policy defined in
jolokia-access.xml to prevent CSRF (4.1.5).