RabbitMQ Vulnerabilities Expose OAuth Secrets and Tenant Data

Recent security assessments have identified two significant vulnerabilities in RabbitMQ, a widely utilized open-source message broker. These flaws could potentially allow unauthorized access to sensitive OAuth client secrets and cross-tenant queue metadata, posing substantial risks to enterprise messaging infrastructures.

Details of the Vulnerabilities

The first vulnerability, designated as CVE-2026-57219 with a CVSS score of 8.7, arises from an obsolete HTTP API endpoint (GET /api/auth) within RabbitMQ’s management web interface. This endpoint, when OAuth 2.0 is configured using the management.oauth_client_secret configuration key, inadvertently exposes the broker’s confidential OAuth client secret. An attacker with network access to the management interface could exploit this flaw to obtain the client secret, impersonate the broker to the identity provider, and acquire administrative tokens. This access could lead to full control over messages, queues, users, and broker settings.

The second vulnerability, identified as CVE-2026-57221 with a CVSS score of 5.3, involves insufficient authorization checks. It permits any authenticated user to enumerate all queue and exchange names within a virtual host and view related statistics, regardless of their assigned permissions. This flaw could enable unauthorized users to gather intelligence on the messaging infrastructure, potentially facilitating further attacks.

Impacted Versions and Mitigation Measures

These vulnerabilities affect RabbitMQ versions starting from 3.13.0, introduced in early 2024. The issues have been addressed in the following patched versions: 3.13.15, 4.0.20, 4.1.11, 4.2.6, and 4.3.0. Organizations utilizing affected versions are strongly advised to upgrade to these patched releases promptly to mitigate potential risks.

In addition to applying the patches, it is recommended to rotate OAuth client secrets, especially if the management interface is accessible over the internet. Restricting access to the management interface by limiting exposure of port 15672 and implementing firewall rules can further reduce the attack surface. For multi-tenant environments, ensuring proper separation of tenants by virtual hosts is crucial to prevent unauthorized data access.

While there is currently no evidence of these vulnerabilities being exploited in the wild, the nature of the flaws underscores the importance of proactive security measures. Regularly updating software, reviewing access controls, and monitoring for unusual activity are essential practices to maintain the integrity and security of messaging infrastructures.

These vulnerabilities highlight the critical need for organizations to stay vigilant and responsive to emerging security threats. Ensuring that all components of the IT infrastructure are up-to-date and properly configured is vital in safeguarding against potential exploits that could compromise sensitive data and system operations.