{"id":8725,"date":"2026-07-13T12:01:44","date_gmt":"2026-07-13T12:01:44","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8725"},"modified":"2026-07-13T12:01:44","modified_gmt":"2026-07-13T12:01:44","slug":"rabbitmq-flaws-expose-oauth-secrets-risk-complete-takeover-of-the-broker","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8725","title":{"rendered":"RabbitMQ flaws expose OAuth secrets, risk complete takeover of the broker"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p class=\"wp-block-paragraph\">RabbitMQ has patched two access control vulnerabilities affecting the widely used open-source message broker that could expose enterprise application data and, in some deployments, allow attackers to gain complete control over the messaging infrastructure.<\/p>\n<p class=\"wp-block-paragraph\">The flaws, discovered by Miggo Security, exposed OAuth secrets to unauthenticated attackers, letting low-privileged users potentially spy on other tenants.<\/p>\n<p class=\"wp-block-paragraph\">\u201cRabbitMQ is the plumbing that moves data between services inside modern applications: orders, payments, authentication events, internal notifications,\u201d Miggo researchers explained in a report shared with CSO ahead of its publication on Monday. \u201cRabbitMQ is downloaded more than 15 million times a year, and the scale makes it a high-value target.\u201d<\/p>\n<p class=\"wp-block-paragraph\">Affecting <a href=\"https:\/\/www.csoonline.com\/article\/4195470\/microsoft-uncovers-gigawiper-a-backdoor-designed-for-destruction-on-demand.html#:~:text=while%20command-and-control%20(C2)%20relies%20on%20RabbitMQ\">RabbitMQ<\/a> releases dating back to version 3.13.0, introduced in early 2024, the flaws have now been fixed in all supported versions.<\/p>\n<h2 class=\"wp-block-heading\">Obsolete endpoint leaked OAuth configurations<\/h2>\n<p class=\"wp-block-paragraph\">The more severe issue, tracked as CVE-2026-57219, allows anyone with network access to RabbitMQ\u2019s management interface to receive the broker\u2019s OAuth client secret without authentication.<\/p>\n<p class=\"wp-block-paragraph\">The flaw <a href=\"https:\/\/github.com\/rabbitmq\/rabbitmq-server\/security\/advisories\/GHSA-pj24-8j6m-vq9q\" target=\"_blank\" rel=\"noopener\">stems<\/a> from an obsolete management endpoint \u201cGET\/api\/auth\u201d\u00a0that returned RabbitMQ\u2019s OAuth configuration, which includes the broker\u2019s confidential OAuth client secret, to anyone who queried it. In deployments using confidential OAuth clients with providers such as Microsoft Entra ID, Auth0, Keycloak, or UAA, attackers could exchange the leaked secret for an administrator token and gain complete control over the broker.<\/p>\n<p class=\"wp-block-paragraph\">The problem was assigned a high severity score of CVSS 8.7 out of 10, and was fixed in the versions 3.13.15, 4.0.20, 4.1.11, and 4.2.6.<\/p>\n<p class=\"wp-block-paragraph\">RabbitMQ reportedly addressed the issue by removing the obsolete endpoint altogether, instead delivering OAuth configuration through an authenticated bootstrap mechanism that no longer exposes the client secret over HTTP.<\/p>\n<p class=\"wp-block-paragraph\">According to Miggo, successful exploitation could allow attackers to access or modify messages, create users, alter broker configuration, and effectively compromise the messaging layer supporting enterprise applications. The company recommended organizations to upgrade immediately, rotate any exposed OAuth client secrets after patching, and ensure the management interface is never exposed to untrusted networks.<\/p>\n<p class=\"wp-block-paragraph\">Broadcom, whose Tanzu division maintains RabbitMQ, did not immediately respond to CSO\u2019s request for comment.<\/p>\n<h2 class=\"wp-block-heading\">Authorization bypass for reconnaissance<\/h2>\n<p class=\"wp-block-paragraph\">The second vulnerability, CVE-2026-57221, is an authorization bypass affecting RabbitMQ\u2019s passive queue and exchange declaration operations.<\/p>\n<p class=\"wp-block-paragraph\">Although attackers <a href=\"https:\/\/github.com\/rabbitmq\/rabbitmq-server\/security\/advisories\/GHSA-9q2j-2hq8-22r2\" target=\"_blank\" rel=\"noopener\">need valid credentials<\/a> for exploitation, even accounts with no assigned permissions can discover whether queues and exchanges exist and retrieve metadata such as message counts and active consumers because the permission check is skipped.<\/p>\n<p class=\"wp-block-paragraph\">Miggo noted the flaw does not expose message contents or allow tampering, but it can leak valuable operational intelligence in shared environments. Attackers could map applications, monitor workload activity, and gather reconnaissance for subsequent attacks against other tenants sharing the same virtual host, the researchers added.<\/p>\n<p class=\"wp-block-paragraph\">RabbitMQ fixed the issue by ensuring passive queue and exchange declarations now enforce the same authorization checks as other operations. Because there is no configuration workaround or <a href=\"https:\/\/www.csoonline.com\/article\/1311264\/cloudflare-adds-new-waf-features-to-prevent-hackers-from-exploiting-llms.html\">WAF <\/a>mitigation for this flaw, organizations were advised to upgrade to a patched release and isolate tenants into separate virtual hosts until patching can be completed.<\/p>\n<p class=\"wp-block-paragraph\">Miggo said the vulnerabilities are the first CVEs discovered by its autonomous security research platform, VulnHunter, before being validated by its security team and disclosed to RabbitMQ maintainers, who reportedly confirmed the issues and released patches.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>RabbitMQ has patched two access control vulnerabilities affecting the widely used open-source message broker that could expose enterprise application data and, in some deployments, allow attackers to gain complete control over the messaging infrastructure. The flaws, discovered by Miggo Security, exposed OAuth secrets to unauthenticated attackers, letting low-privileged users potentially spy on other tenants. \u201cRabbitMQ [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":8724,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8725","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8725"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8725"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8725\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8724"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8725"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8725"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8725"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}