SB2026062518 - Multiple vulnerabilities in RabbitMQ Server



SB2026062518 - Multiple vulnerabilities in RabbitMQ Server

Published: June 25, 2026 Updated: June 25, 2026

Security Bulletin ID SB2026062518
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 7
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 57% Low 43%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 7 vulnerabilities.


1) Information disclosure (CVE-ID: CVE-2026-57219)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to exposure of sensitive information in the HTTP API endpoint GET /api/auth when handling unauthenticated requests on affected OAuth 2 configurations. A remote attacker can send a request to the endpoint to disclose sensitive information.

Only installations with the management plugin enabled and OAuth 2 configured to use the management.oauth_client_secret setting are vulnerable.


2) Missing Authorization (CVE-ID: CVE-2026-57221)

CWE-ID: CWE-862 - Missing Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to missing authorization in passive queue.declare and passive exchange.declare operations when handling authenticated AMQP requests within a virtual host. A remote user can issue passive declare operations to disclose sensitive information.

Even users with empty configure, write, and read permission regexes can enumerate queue and exchange names, and passive queue declarations also expose message counts and consumer counts.


3) Input validation error (CVE-ID: CVE-2026-57220)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in rabbit_stream_core when processing oversized stream frames during authentication before Tune negotiation. A remote attacker can send oversized partial frames to cause a denial of service.

Only deployments with the first-party rabbitmq_stream listener enabled and reachable on port 5552 are vulnerable.


4) Improper Authorization (CVE-ID: CVE-2026-57218)

CWE-ID: CWE-285 - Improper Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose queue messages after authorization has been revoked.

The vulnerability exists due to improper access control in the AMQP 0-9-1 consumer authorization flow when processing message deliveries after OAuth token expiry or scope downgrade via connection.update_secret. A remote user can maintain a previously established consumer and refresh to a token with reduced queue read scope to disclose queue messages after authorization has been revoked.

The issue is limited to already-established AMQP 0-9-1 consumer flows; creating a new consumer after the downgrade is denied, while the pre-existing consumer can still receive new messages.


5) Improper access control (CVE-ID: CVE-2026-57217)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to bypass topic authorization and route messages across tenant boundaries.

The vulnerability exists due to improper access control in the topic-permission lookup handling in the internal authorization backend when processing topic publish or bind operations during metadata-store lookup failures. A remote user can trigger topic operations while Khepri returns timeout or error results to bypass topic authorization and route messages across tenant boundaries.

The issue occurs only during the Khepri lookup error window, where denied operations become allowed until metadata lookup recovers.


6) Improper access control (CVE-ID: CVE-2026-57216)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to bypass loopback-only authentication restrictions and obtain a live AMQP session as a loopback-restricted user.

The vulnerability exists due to improper access control in the loopback-user check in RabbitMQ listener authentication when processing connections accepted through a trusted PROXY-protocol frontend on a loopback-bound backend listener. A remote attacker can send a specially crafted PROXY-protocol connection with valid loopback-restricted credentials to bypass loopback-only authentication restrictions and obtain a live AMQP session as a loopback-restricted user.

Exploitation requires access to a trusted PROXY-protocol path and valid credentials for a user restricted to loopback connections.


7) Improper access control (CVE-ID: CVE-2026-57215)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to inject messages into another tenant's reply channel and cause silent routing loss conditions.

The vulnerability exists due to improper access control in direct-reply-to binding handling when binding and unbinding volatile amq.rabbitmq.reply-to.* destinations. A remote user can create and retain a crafted binding to inject messages into another tenant's reply channel and cause silent routing loss conditions.

Exploitation requires normal bind and publish permissions in a shared virtual host.


Remediation

Install update from vendor's website.