Missing Authorization in RabbitMQ Server - CVE-2026-57221

 

Missing Authorization in RabbitMQ Server - CVE-2026-57221

Published: June 25, 2026 / Updated: June 25, 2026


Vulnerability identifier: #VU135148
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-57221
CWE-ID: CWE-862
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: VMware, Inc
Affected software:
RabbitMQ Server

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to missing authorization in passive queue.declare and passive exchange.declare operations when handling authenticated AMQP requests within a virtual host. A remote user can issue passive declare operations to disclose sensitive information.

Even users with empty configure, write, and read permission regexes can enumerate queue and exchange names, and passive queue declarations also expose message counts and consumer counts.


How to mitigate CVE-2026-57221

Install security update from vendor's website.

Sources