SB2026071004 - Multiple vulnerabilities in RabbitMQ Server



SB2026071004 - Multiple vulnerabilities in RabbitMQ Server

Published: July 10, 2026

Security Bulletin ID SB2026071004
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 67% Low 33%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 vulnerabilities.


1) Input validation error (CVE-ID: N/A)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to cause integrity issues by causing a stale authentication-mechanism preference to persist across logout.

The vulnerability exists due to improper input validation in get_auth_mechanism/1 when clearing the consumed auth-mechanism cookie. A remote attacker can trigger the application to send a malformed Set-Cookie header with a non-conformant cookie name to cause integrity issues by causing a stale authentication-mechanism preference to persist across logout.

User interaction is required, and the issue is limited to weak session hygiene in browser-based use, such as shared-browser scenarios.


2) Cleartext storage of sensitive information (CVE-ID: N/A)

CWE-ID: CWE-312 - Cleartext Storage of Sensitive Information

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to cleartext storage of sensitive information in the management UI login cookie when processing successful POST /login requests. A remote attacker can obtain the auth cookie value to disclose sensitive information.

The cookie stores the user's actual username and password in base64 form rather than a session token, and it is readable from JavaScript because it is set without the HttpOnly attribute.


3) Cross-site scripting (CVE-ID: N/A)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary JavaScript in the management UI origin.

The vulnerability exists due to cross-site scripting in the OAuth bootstrap JavaScript endpoint set_token_auth/2 when emitting JavaScript from an attacker-influenced bearer token or access_token cookie. A remote attacker can supply a crafted token value to execute arbitrary JavaScript in the management UI origin.

Only deployments with OAuth enabled are exposed, and user interaction is required for the victim's browser to fetch bootstrap.js. Exploitation requires the ability to plant an access_token cookie on the management host, while the Authorization header path is reachable from a non-browser client that mediates an attacker-controlled request.


Remediation

Install update from vendor's website.