Improper access control in RabbitMQ Server - CVE-2026-57217
Published: June 25, 2026
RabbitMQ Server
Detailed vulnerability description
The vulnerability allows a remote user to bypass topic authorization and route messages across tenant boundaries.
The vulnerability exists due to improper access control in the topic-permission lookup handling in the internal authorization backend when processing topic publish or bind operations during metadata-store lookup failures. A remote user can trigger topic operations while Khepri returns timeout or error results to bypass topic authorization and route messages across tenant boundaries.
The issue occurs only during the Khepri lookup error window, where denied operations become allowed until metadata lookup recovers.