SB2026061825 - Multiple vulnerabilities in RabbitMQ
Published: June 18, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 vulnerabilities.
1) Server-Side Request Forgery (SSRF) (CVE-ID: N/A)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to server-side request forgery (ssrf) in rabbitmq management plugin static file handler (rabbit_mgmt_wm_static) when handling a crafted request path containing url-encoded unc path segments on windows. A remote attacker can send a specially crafted request to disclose sensitive information.
Exploitation requires Windows and two or more management extension plugins to be enabled. On domain-joined systems, the issue can coerce outbound SMB authentication and expose the machine account NTLMv2 hash.
2) Allocation of Resources Without Limits or Throttling (CVE-ID: N/A)
CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to bypass configured request body size limits and consume additional resources.
The vulnerability exists due to allocation of resources without limits or throttling in rabbitmq_management HTTP API request body handling when processing oversized valid JSON request bodies. A remote user can send a specially crafted oversized JSON request to bypass configured request body size limits and consume additional resources.
Only management API code paths using with_decode or direct_request are affected.
3) Cross-site scripting (CVE-ID: N/A)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary JavaScript in the victim's browser.
The vulnerability exists due to cross-site scripting in the rabbitmq_federation_management plugin federation status page when rendering an unsanitized consumer_tag value. A remote user can configure a malicious federation upstream or policy to execute arbitrary JavaScript in the victim's browser.
User interaction is required when an administrator or monitoring user opens the Federation Status page.
4) Cross-site scripting (CVE-ID: N/A)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary JavaScript in the browser of another user.
The vulnerability exists due to cross-site scripting in the RabbitMQ management UI queue and exchange listing pages when rendering the x-internal-purpose queue or exchange argument into an HTML title attribute. A remote user can declare a queue or exchange with a crafted x-internal-purpose value to execute arbitrary JavaScript in the browser of another user.
The payload is stored in queue or exchange metadata and is triggered when a user views the Queues or Exchanges page.
Remediation
Install update from vendor's website.
References
- https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-7v84-m3g5-vxq6
- https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-5cmq-vp28-xqrj
- https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-qxrp-7cmp-p77h
- https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-6jfq-prw2-7rwp