Improper access control in RabbitMQ Server - CVE-2026-57216
Published: June 25, 2026 / Updated: June 25, 2026
RabbitMQ Server
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass loopback-only authentication restrictions and obtain a live AMQP session as a loopback-restricted user.
The vulnerability exists due to improper access control in the loopback-user check in RabbitMQ listener authentication when processing connections accepted through a trusted PROXY-protocol frontend on a loopback-bound backend listener. A remote attacker can send a specially crafted PROXY-protocol connection with valid loopback-restricted credentials to bypass loopback-only authentication restrictions and obtain a live AMQP session as a loopback-restricted user.
Exploitation requires access to a trusted PROXY-protocol path and valid credentials for a user restricted to loopback connections.