RabbitMQ Vulnerabilities Expose OAuth Secrets, Enable Full Broker Control

RabbitMQ Vulnerabilities Expose OAuth Secrets, Enable Full Broker Control

First seen 13 Jul 2026, 21:56 UTC CsoonlineGbhackers 88% similarity 72.0

Article Content

Browse articles
ThreatCluster

Two critical access control vulnerabilities in RabbitMQ, tracked as CVE-2026-57219 and CVE-2026-57221, were disclosed by Miggo Security. The first flaw allows unauthenticated attackers to access OAuth client secrets via an obsolete endpoint, potentially enabling complete control over the messaging broker. The second vulnerability permits authenticated users with no permissions to enumerate queues and exchanges, leaking operational intelligence. RabbitMQ versions from 3.13.0 onward are affected, with patches released for versions 3.13.15, 4.0.20, 4.1.11, and 4.2.6. Organizations are urged to upgrade and rotate any exposed OAuth secrets immediately. The flaws impact a significant number of enterprise applications, as RabbitMQ is widely used in modern software architectures.

Key Points: • CVE-2026-57219 allows unauthenticated access to OAuth client secrets, risking full broker control. • CVE-2026-57221 enables credentialed users to leak metadata about queues and exchanges. • Organizations must patch affected RabbitMQ versions and rotate OAuth secrets promptly.

ThreatCluster AI

Timeline

2026-07-10
CVE-2026-57219 published
A vulnerability in RabbitMQ exposes OAuth client secrets to unauthenticated attackers via an obsolete endpoint.
Csoonline
2026-07-10
CVE-2026-57221 published
An authorization bypass vulnerability allows credentialed users to discover queues and exchanges without permissions.
Csoonline
Recent
RabbitMQ patches released
Patches for the vulnerabilities were released for RabbitMQ versions 3.13.15, 4.0.20, 4.1.11, and 4.2.6.
Csoonline

Community

Browse all →