Recent research has unveiled two significant access control vulnerabilities in the RabbitMQ message broker service, which could potentially expose sensitive OAuth client secrets and compromise tenant data. Discovered by Miggo’s security team, these flaws pose serious risks to enterprise messaging infrastructures.
Details of the Vulnerabilities
The first vulnerability, identified as CVE-2026-57219, has a CVSS score of 8.7. It involves an outdated HTTP API endpoint, specifically “GET /api/auth,” which discloses the broker’s confidential OAuth secret to unauthenticated attackers. This exposure allows attackers to exchange the secret for an administrator token, granting them full control over messages, queues, users, and broker settings.
The second flaw, CVE-2026-57221, has a CVSS score of 5.3. It permits any authenticated user connected to a virtual host to enumerate all queue and exchange names within that host. This vulnerability allows users to access queue message counts and consumer counts without appropriate permissions, as the authorization check for this endpoint is improperly configured.
Impact and Affected Versions
Both vulnerabilities have been present in RabbitMQ’s codebase since early 2024 and affect all release lines from version 3.13.0 and later. The vulnerabilities have been addressed in the following patched versions: 4.3.0, 4.2.6, 4.1.11, 4.0.20, and 3.13.15. Currently, there is no evidence to suggest that these vulnerabilities have been actively exploited prior to their public disclosure.
Recommended Mitigations
To mitigate the risks associated with these vulnerabilities, users are advised to upgrade to the latest versions of RabbitMQ. Additionally, it is recommended to rotate the OAuth client secret if the management interface is accessible over the internet. Limiting access to port 15672 can help prevent unauthorized access to the management interface, while separating tenants by virtual host and implementing firewall rules can further protect against exploitation of the vulnerable endpoint.
Context of Recent Security Issues
This disclosure follows the resolution of two critical-severity vulnerabilities in RabbitMQ that could lead to TLS client-authentication bypass and allow an adversary-in-the-middle (AitM) to forge JSON Web Key Set (JWKS) responses, potentially accepting arbitrary JWTs. The ongoing scrutiny of RabbitMQ’s security highlights the importance of maintaining robust access controls and regular updates to safeguard messaging infrastructures.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.








