Improper Authorization in RabbitMQ Server - CVE-2026-57218
Published: June 25, 2026 / Updated: June 25, 2026
RabbitMQ Server
Detailed vulnerability description
The vulnerability allows a remote user to disclose queue messages after authorization has been revoked.
The vulnerability exists due to improper access control in the AMQP 0-9-1 consumer authorization flow when processing message deliveries after OAuth token expiry or scope downgrade via connection.update_secret. A remote user can maintain a previously established consumer and refresh to a token with reduced queue read scope to disclose queue messages after authorization has been revoked.
The issue is limited to already-established AMQP 0-9-1 consumer flows; creating a new consumer after the downgrade is denied, while the pre-existing consumer can still receive new messages.