Cleartext storage of sensitive information in RabbitMQ Server - #VU137288
Published: July 10, 2026
RabbitMQ Server
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to cleartext storage of sensitive information in the management UI login cookie when processing successful POST /login requests. A remote attacker can obtain the auth cookie value to disclose sensitive information.
The cookie stores the user's actual username and password in base64 form rather than a session token, and it is readable from JavaScript because it is set without the HttpOnly attribute.