AI Security AI安全 6h ago Updated 2h ago 更新于 2小时前 46

RabbitMQ Flaws Could Leak OAuth Secrets and Expose Cross-Tenant Queue Metadata RabbitMQ漏洞可能泄露OAuth密钥并暴露跨租户队列元数据

Two access control vulnerabilities in RabbitMQ allow unauthenticated leakage of OAuth client secrets and unauthorized enumeration of cross-tenant metadata. CVE-2026-57219 (CVSS 8.7) exposes the OAuth secret via an obsolete endpoint, enabling full broker takeover, while CVE-2026-57221 (CVSS 5.3) permits authenticated users to read other tenants' queue data. The flaws existed since early 2024 in versions 3.13.0 and later, affecting multi-tenant and cloud deployments where management ports are expo RabbitMQ存在两个访问控制缺陷,可导致OAuth客户端密钥泄露及跨租户数据暴露,影响3.13.0及以上版本。 CVE-2026-57219(CVSS 8.7)源于废弃API端点硬编码放行,使未认证攻击者可直接获取管理员权限。 CVE-2026-57221(CVSS 5.3)因缺乏授权检查,允许已登录用户枚举其他租户的队列元数据。 漏洞已在4.3.0、4.2.6等最新维护版本中修复,目前尚无证据表明遭到主动利用。 建议立即升级软件、轮换OAuth密钥,并通过防火墙限制管理端口访问以缓解风险。

65
Hot 热度
70
Quality 质量
60
Impact 影响力

Analysis 深度分析

TL;DR

  • Two access control vulnerabilities in RabbitMQ allow unauthenticated leakage of OAuth client secrets and unauthorized enumeration of cross-tenant metadata.
  • CVE-2026-57219 (CVSS 8.7) exposes the OAuth secret via an obsolete endpoint, enabling full broker takeover, while CVE-2026-57221 (CVSS 5.3) permits authenticated users to read other tenants' queue data.
  • The flaws existed since early 2024 in versions 3.13.0 and later, affecting multi-tenant and cloud deployments where management ports are exposed.
  • Mitigation requires immediate patching to fixed versions (e.g., 4.3.0, 3.13.15), rotating OAuth secrets, and restricting network access to the management interface.

Why It Matters

This disclosure highlights critical risks in enterprise messaging infrastructure, particularly for organizations using RabbitMQ for multi-tenant architectures or cloud-based deployments. The ability to leak OAuth secrets or enumerate tenant data without authentication undermines trust in identity management and data isolation mechanisms, potentially leading to complete system compromise or significant data breaches.

Technical Details

  • CVE-2026-57219 (CVSS 8.7): An obsolete HTTP API endpoint (GET /api/auth) lacked proper authorization checks, hard-coding access to allow requests. This exposed the management.oauth_client_secret configuration value to unauthenticated attackers, who could then exchange it for an administrator token to gain full control over messages, queues, users, and settings.
  • CVE-2026-57221 (CVSS 5.3): A missing authorization check allowed any authenticated user connected to a virtual host to enumerate all queue and exchange names within that host. Users could also read message counts and consumer counts across tenants, bypassing intended permission boundaries.
  • Affected Versions: The vulnerabilities were present in codebases from early 2024, impacting RabbitMQ release lines 3.13.0 and later. Fixed versions include 4.3.0, 4.2.6, 4.1.11, 4.0.20, and 3.13.15.
  • Context: These issues follow recent critical TLS and JWKS forgery vulnerabilities in RabbitMQ, indicating a pattern of access control and cryptographic implementation challenges in the broker's management interface.

Industry Insight

  • Audit Management Interfaces: Organizations must ensure RabbitMQ management ports (default 15672) are not exposed to untrusted networks or the internet. Implement strict firewall rules and network segmentation to limit access to administrative interfaces.
  • Review OAuth Configurations: If using OAuth 2 for management authentication, immediately rotate client secrets and verify that no obsolete endpoints remain enabled or accessible. Consider disabling legacy API endpoints entirely.
  • Strengthen Multi-Tenant Isolation: For environments using virtual hosts for tenant separation, enforce rigorous permission policies and monitor for metadata leakage. Regularly audit user permissions to ensure least-privilege access models are strictly maintained.

TL;DR

  • RabbitMQ存在两个访问控制缺陷,可导致OAuth客户端密钥泄露及跨租户数据暴露,影响3.13.0及以上版本。
  • CVE-2026-57219(CVSS 8.7)源于废弃API端点硬编码放行,使未认证攻击者可直接获取管理员权限。
  • CVE-2026-57221(CVSS 5.3)因缺乏授权检查,允许已登录用户枚举其他租户的队列元数据。
  • 漏洞已在4.3.0、4.2.6等最新维护版本中修复,目前尚无证据表明遭到主动利用。
  • 建议立即升级软件、轮换OAuth密钥,并通过防火墙限制管理端口访问以缓解风险。

为什么值得看

对于依赖RabbitMQ构建消息中间件的团队而言,此次披露揭示了身份验证与多租户隔离中的关键配置陷阱,特别是废弃API端点的处理疏忽可能导致整个Broker被接管。了解这些具体漏洞有助于企业审计现有的云原生消息队列安全策略,防止因配置不当引发的数据泄露或服务中断。

技术解析

  • CVE-2026-57219 (CVSS 8.7):这是一个严重的访问控制失效问题。在启用了OAuth 2管理接口的RabbitMQ实例中,废弃的HTTP API端点 GET /api/auth 的授权检查被硬编码为始终允许请求。这导致未认证的远程攻击者可以在单次请求中泄露 management.oauth_client_secret,进而交换获得管理员令牌,完全控制消息、队列、用户及Broker设置。
  • CVE-2026-57221 (CVSS 5.3):该漏洞涉及多租户环境下的权限绕过。任何能够连接到虚拟主机(Virtual Host)的已认证用户,无论其实际权限如何,都可以静默枚举该虚拟主机内的所有队列和交换机名称,并读取队列消息计数和消费者计数。这破坏了租户间的数据隔离边界。
  • 影响范围与修复:漏洞代码自2024年初引入,影响RabbitMQ 3.13.0及后续版本。官方已在4.3.0、4.2.6、4.1.11、4.0.20和3.13.15版本中发布补丁。此前未发现针对这两个特定漏洞的活跃利用活动。
  • 缓解措施:除了升级到最新版本,建议若管理界面暴露于互联网,应立即轮换OAuth客户端密钥;通过防火墙规则限制15672端口的访问;实施严格的虚拟主机租户隔离策略。

行业启示

  • 废弃组件的安全治理:此次漏洞源于“废弃”但未被正确禁用或鉴权的API端点。企业在维护开源基础设施时,必须定期审查并彻底移除或严格保护不再使用的接口,避免留下安全后门。
  • 云原生消息中间件的多租户风险:随着微服务架构普及,多租户消息队列成为常态。此案例强调了对虚拟主机(vhost)权限模型进行最小化权限审计的重要性,确保即使发生越权尝试,攻击者也无法横向移动或窃取元数据。
  • 供应链与配置安全并重:RabbitMQ作为广泛使用的开源组件,其安全性不仅取决于代码质量,更依赖于部署配置。运维团队应将自动化配置扫描纳入CI/CD流程,确保OAuth、TLS等敏感配置符合安全基线,而非仅依赖软件更新。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Open Source 开源 Security 安全