SB2026071004 - Multiple vulnerabilities in RabbitMQ Server
Published: July 10, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Input validation error (CVE-ID: N/A)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to cause integrity issues by causing a stale authentication-mechanism preference to persist across logout.
The vulnerability exists due to improper input validation in get_auth_mechanism/1 when clearing the consumed auth-mechanism cookie. A remote attacker can trigger the application to send a malformed Set-Cookie header with a non-conformant cookie name to cause integrity issues by causing a stale authentication-mechanism preference to persist across logout.
User interaction is required, and the issue is limited to weak session hygiene in browser-based use, such as shared-browser scenarios.
2) Cleartext storage of sensitive information (CVE-ID: N/A)
CWE-ID: CWE-312 - Cleartext Storage of Sensitive Information
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to cleartext storage of sensitive information in the management UI login cookie when processing successful POST /login requests. A remote attacker can obtain the auth cookie value to disclose sensitive information.
The cookie stores the user's actual username and password in base64 form rather than a session token, and it is readable from JavaScript because it is set without the HttpOnly attribute.
3) Cross-site scripting (CVE-ID: N/A)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to execute arbitrary JavaScript in the management UI origin.
The vulnerability exists due to cross-site scripting in the OAuth bootstrap JavaScript endpoint set_token_auth/2 when emitting JavaScript from an attacker-influenced bearer token or access_token cookie. A remote attacker can supply a crafted token value to execute arbitrary JavaScript in the management UI origin.
Only deployments with OAuth enabled are exposed, and user interaction is required for the victim's browser to fetch bootstrap.js. Exploitation requires the ability to plant an access_token cookie on the management host, while the Authorization header path is reachable from a non-browser client that mediates an attacker-controlled request.
Remediation
Install update from vendor's website.