Cross-site scripting in RabbitMQ Server - #VU137289

 

Cross-site scripting in RabbitMQ Server - #VU137289

Published: July 10, 2026


Vulnerability identifier: #VU137289
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: VMware, Inc
Affected software:
RabbitMQ Server

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary JavaScript in the management UI origin.

The vulnerability exists due to cross-site scripting in the OAuth bootstrap JavaScript endpoint set_token_auth/2 when emitting JavaScript from an attacker-influenced bearer token or access_token cookie. A remote attacker can supply a crafted token value to execute arbitrary JavaScript in the management UI origin.

Only deployments with OAuth enabled are exposed, and user interaction is required for the victim's browser to fetch bootstrap.js. Exploitation requires the ability to plant an access_token cookie on the management host, while the Authorization header path is reachable from a non-browser client that mediates an attacker-controlled request.


Remediation

Install security update from vendor's website.

Sources