Cybersecurity experts have uncovered two significant access control vulnerabilities within the RabbitMQ message broker service. These flaws pose a risk by potentially leaking OAuth client secrets and exposing enterprise messaging systems to unauthorized access, which could lead to tenant boundary violations.
Details of the Discovered Flaws
The issues were identified by Miggo’s security team, who reported that one vulnerability could expose the broker’s OAuth secret to an unauthenticated user, potentially allowing full control over the broker configurations that rely on the secret. Another flaw permits any authenticated user to access data from other tenants without detection.
These vulnerabilities have been part of the RabbitMQ codebase since early 2024, affecting versions 3.13.0 and later. They have been patched in subsequent updates, including versions 4.3.0, 4.2.6, 4.1.11, 4.0.20, and 3.13.15. Fortunately, there is no evidence suggesting these vulnerabilities were exploited before they were publicly disclosed.
Technical Breakdown of Vulnerabilities
The first flaw, identified as CVE-2026-57219 with a CVSS score of 8.7, involves an outdated HTTP API endpoint that exposes client secrets on RabbitMQ systems configured with OAuth 2. Attackers could exploit this to gain administrative access and control over messages, queues, users, and broker settings.
The second flaw, CVE-2026-57221, scored at 5.3, results from missing authorization checks. This allows authenticated users to view queue and exchange names and read message counts, regardless of their permission level.
Security Recommendations and Future Outlook
To mitigate these risks, users are advised to upgrade to the latest RabbitMQ versions and rotate OAuth client secrets, especially if the management interface is accessible via the internet. Restricting access to port 15672 and implementing firewall rules are also recommended to prevent unauthorized network access.
As RabbitMQ developers continue to strengthen security measures, addressing these vulnerabilities highlights the ongoing need for vigilance in protecting network infrastructures. Future updates and security practices will be essential in safeguarding against potential threats.
