A serious vulnerability in RabbitMQ is threatening enterprise messaging systems by allowing attackers to steal OAuth secrets and take full control of brokers. Tracked as CVE-2026-57219, the flaw has a CVSS score of 8.7 and affects popular RabbitMQ versions used across organizations for asynchronous communication and event-driven architectures.
Discovered by security researchers at Miggo, the vulnerability stems from an obsolete HTTP API endpoint, GET /api/auth, within RabbitMQ’s management plugin. When the management plugin is enabled and OAuth 2 is configured using the management.oauth_client_secret setting, the endpoint returns the broker’s confidential OAuth client secret to anyone who can reach it, without requiring authentication. Attackers can then exchange this secret for an administrator token, gaining complete control over every message, queue, user, and broker setting in the deployment.
The affected versions span all releases from 3.13.0 onwards, including branches 4.0, 4.1, and 4.2, up to the patched versions 3.13.15, 4.0.20, 4.1.11, and 4.2.6. Enterprises running RabbitMQ in cloud environments, multi-tenant architectures, or setups where the management interface has been inadvertently exposed to the internet face the highest risk. Installations without the management plugin or those not using the specific OAuth client secret configuration are not vulnerable, but many production systems do rely on these features for identity integration and centralized access control.
In addition to the primary flaw, RabbitMQ also addressed a second, medium-severity vulnerability, CVE-2026-57221, which allows any authenticated user to bypass tenant isolation and read statistics about queues and exchanges across virtual hosts. While this does not permit data modification, it enables attackers with low-level access to perform reconnaissance, map an organization’s messaging topology, and plan more targeted follow-up exploits. Both vulnerabilities have existed in the codebase since early 2024, but there is currently no evidence of active exploitation in the wild.
Mitigation tips
Organizations using RabbitMQ should prioritize applying the latest patches immediately, as software updates are the only reliable way to close the /api/auth endpoint and fix the authorization bypass. Until patches can be deployed, administrators should restrict network access to the management plugin, block internet exposure, and monitor for suspicious API requests.
After updating, it is critical to rotate OAuth client secrets, because the vulnerability may have already leaked credentials that remain valid even after the software is fixed. With enterprise messaging at the core of modern application workflows, prompt remediation is essential to prevent potential data breaches and operational disruptions.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article:
