In a concerning development for enterprise messaging systems, cybersecurity researchers have unveiled two major vulnerabilities in RabbitMQ, a widely used message broker. These flaws could allow attackers to leak sensitive OAuth secrets, take over messaging infrastructure, or silently read data across tenant boundaries. Here’s what you need to know and why you should patch immediately.
The Vulnerabilities: What’s at Stake?
The vulnerabilities, discovered by Miggo’s security team, have been lurking in RabbitMQ’s codebase since early 2024. They impact all release lines from version 3.13.0 onward. Fortunately, patches are now available in versions 4.3.0, 4.2.6, 4.1.11, 4.0.20, and 3.13.15. As of now, there’s no evidence of these flaws being actively exploited, but that could change quickly.
1. CVE-2026-57219 (CVSS Score: 8.7): OAuth Secret Leak
This flaw involves an obsolete HTTP API endpoint (GET /api/auth) that, under certain configurations, can expose the broker’s OAuth client secret to an unauthenticated attacker. In setups where OAuth 2 is configured to use the management.oauth_client_secret key, an attacker could use this secret to obtain an administrator token. With this token, they could gain full control over messages, queues, users, and broker settings—a nightmare scenario for any organization.
The root cause? The endpoint’s authorization check was hard-coded to always allow the request, bypassing standard security checks. This makes it especially dangerous in environments where the RabbitMQ management port (15672) is accessible over the internet or in multi-tenant setups.
2. CVE-2026-57221 (CVSS Score: 5.3): Tenant Data Exposure
The second vulnerability allows any authenticated user to enumerate queue and exchange names in a virtual host, as well as read message counts and consumer counts, regardless of their permissions. This means sensitive data could be exposed to users who shouldn’t have access to it, undermining the integrity of tenant boundaries.
Why You Should Care
If you’re running RabbitMQ in a cloud or multi-tenant environment, these vulnerabilities pose a significant risk. Attackers could exploit these flaws to:
- Steal OAuth secrets and gain administrative control over your messaging infrastructure.
- Access sensitive data across tenant boundaries, compromising data privacy and security.
- Disrupt messaging services, leading to potential downtime or data loss.
What to Do Now
To protect your systems, take the following steps immediately:
- Patch Your RabbitMQ Installations: Upgrade to the latest patched versions (4.3.0, 4.2.6, 4.1.11, 4.0.20, or 3.13.15).
- Rotate OAuth Secrets: If your management interface is exposed to the internet, rotate your OAuth client secrets as a precaution.
- Limit Access to Port 15672: Restrict access to the management port to prevent unauthorized access.
- Separate Tenants by Virtual Host: Ensure tenants are isolated to minimize the risk of data exposure.
- Implement Firewall Rules: Block access to vulnerable endpoints on unpatched instances.
A Broader Look at RabbitMQ Security
This disclosure comes on the heels of other critical RabbitMQ vulnerabilities, including a TLS client-authentication bypass and a JSON Web Key Set (JWKS) forgery issue. These flaws highlight the importance of proactive security measures, especially in environments where messaging systems handle sensitive data.
Final Thoughts
RabbitMQ is a critical component of many enterprise messaging architectures, making these vulnerabilities a serious concern. By taking immediate action to patch and secure your systems, you can protect your organization from potential breaches and ensure the integrity of your messaging infrastructure.
Stay vigilant, and happy patching!
