Security researchers have disclosed two access-control vulnerabilities in RabbitMQ, the popular open-source message broker used by organizations worldwide. If exploited, these flaws could allow attackers to gain administrative control of a RabbitMQ server or access sensitive information about queues and users.
The vulnerabilities were discovered by Miggo Security and affect RabbitMQ versions starting from 3.13.0. Security updates are now available, and organizations are encouraged to patch affected systems as soon as possible.
Two Critical Security Flaws
The first and more severe vulnerability, CVE-2026-57219, exposes RabbitMQ’s OAuth configuration through a management API endpoint that does not require authentication. If an organization stores an OAuth client secret for identity providers such as Auth0, Microsoft Entra ID, Keycloak, or UAA, an attacker with network access to the management interface could retrieve that secret.
Using the exposed credentials, an attacker may obtain administrator-level access to the RabbitMQ server, allowing them to manage messages, queues, users, and broker settings.
The second vulnerability, CVE-2026-57221, affects permission validation within RabbitMQ. Although less severe, it allows authenticated users with limited privileges to discover queues, exchanges, and usage statistics that they should not normally be able to access. In shared or multi-tenant environments, this information could help attackers gather intelligence for future attacks.
Recommended Security Measures
Both vulnerabilities have been fixed in RabbitMQ 4.3.0, 4.2.6, 4.1.11, 4.0.20, and 3.13.15.
Organizations should take the following steps to protect their RabbitMQ deployments:
- Update RabbitMQ to a supported patched version immediately.
- Rotate OAuth client secrets after applying updates.
- Restrict access to the RabbitMQ management interface (port 15672) and avoid exposing it to public networks.
- Isolate tenants using separate virtual hosts instead of shared environments.
- Review container images and Helm charts to ensure they are not using vulnerable RabbitMQ versions.
- Monitor RabbitMQ systems for unusual administrative activity or unauthorized access attempts.
These vulnerabilities highlight the importance of securing management interfaces and regularly updating infrastructure components. Prompt patching, strong access controls, and continuous security monitoring remain essential for protecting messaging platforms and the applications that depend on them.