RabbitMQ Flaws Could Leak OAuth Secrets and Expose Cross-Tenant Queue Metadata
Two access control vulnerabilities in RabbitMQ allow unauthenticated leakage of OAuth client secrets and unauthorized enumeration of cross-tenant metadata. CVE-2026-57219 (CVSS 8.7) exposes the OAuth secret via an obsolete endpoint, enabling full broker takeover, while CVE-2026-57221 (CVSS 5.3) permits authenticated users to read other tenants' queue data. The flaws existed since early 2024 in versions 3.13.0 and later, affecting multi-tenant and cloud deployments where management ports are expo
Analysis
TL;DR
- Two access control vulnerabilities in RabbitMQ allow unauthenticated leakage of OAuth client secrets and unauthorized enumeration of cross-tenant metadata.
- CVE-2026-57219 (CVSS 8.7) exposes the OAuth secret via an obsolete endpoint, enabling full broker takeover, while CVE-2026-57221 (CVSS 5.3) permits authenticated users to read other tenants' queue data.
- The flaws existed since early 2024 in versions 3.13.0 and later, affecting multi-tenant and cloud deployments where management ports are exposed.
- Mitigation requires immediate patching to fixed versions (e.g., 4.3.0, 3.13.15), rotating OAuth secrets, and restricting network access to the management interface.
Why It Matters
This disclosure highlights critical risks in enterprise messaging infrastructure, particularly for organizations using RabbitMQ for multi-tenant architectures or cloud-based deployments. The ability to leak OAuth secrets or enumerate tenant data without authentication undermines trust in identity management and data isolation mechanisms, potentially leading to complete system compromise or significant data breaches.
Technical Details
- CVE-2026-57219 (CVSS 8.7): An obsolete HTTP API endpoint (
GET /api/auth) lacked proper authorization checks, hard-coding access to allow requests. This exposed themanagement.oauth_client_secretconfiguration value to unauthenticated attackers, who could then exchange it for an administrator token to gain full control over messages, queues, users, and settings. - CVE-2026-57221 (CVSS 5.3): A missing authorization check allowed any authenticated user connected to a virtual host to enumerate all queue and exchange names within that host. Users could also read message counts and consumer counts across tenants, bypassing intended permission boundaries.
- Affected Versions: The vulnerabilities were present in codebases from early 2024, impacting RabbitMQ release lines 3.13.0 and later. Fixed versions include 4.3.0, 4.2.6, 4.1.11, 4.0.20, and 3.13.15.
- Context: These issues follow recent critical TLS and JWKS forgery vulnerabilities in RabbitMQ, indicating a pattern of access control and cryptographic implementation challenges in the broker's management interface.
Industry Insight
- Audit Management Interfaces: Organizations must ensure RabbitMQ management ports (default 15672) are not exposed to untrusted networks or the internet. Implement strict firewall rules and network segmentation to limit access to administrative interfaces.
- Review OAuth Configurations: If using OAuth 2 for management authentication, immediately rotate client secrets and verify that no obsolete endpoints remain enabled or accessible. Consider disabling legacy API endpoints entirely.
- Strengthen Multi-Tenant Isolation: For environments using virtual hosts for tenant separation, enforce rigorous permission policies and monitor for metadata leakage. Regularly audit user permissions to ensure least-privilege access models are strictly maintained.
Disclaimer: The above content is generated by AI and is for reference only.