Cross-site scripting in RabbitMQ Server - #VU137289
Published: July 10, 2026
RabbitMQ Server
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary JavaScript in the management UI origin.
The vulnerability exists due to cross-site scripting in the OAuth bootstrap JavaScript endpoint set_token_auth/2 when emitting JavaScript from an attacker-influenced bearer token or access_token cookie. A remote attacker can supply a crafted token value to execute arbitrary JavaScript in the management UI origin.
Only deployments with OAuth enabled are exposed, and user interaction is required for the victim's browser to fetch bootstrap.js. Exploitation requires the ability to plant an access_token cookie on the management host, while the Authorization header path is reachable from a non-browser client that mediates an attacker-controlled request.