Missing Authorization in RabbitMQ Server - CVE-2026-57221
Published: June 25, 2026 / Updated: June 25, 2026
RabbitMQ Server
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to missing authorization in passive queue.declare and passive exchange.declare operations when handling authenticated AMQP requests within a virtual host. A remote user can issue passive declare operations to disclose sensitive information.
Even users with empty configure, write, and read permission regexes can enumerate queue and exchange names, and passive queue declarations also expose message counts and consumer counts.