Full Report
Cybersecurity researchers have disclosed details of two access control-related flaws impacting the RabbitMQ message broker service that could allow attackers to leak OAuth client secrets, expose enterprise messaging infrastructure to takeover risks, and bypass tenant boundaries. Miggo's security team, which discovered and reported the flaws, said one "leaks the broker's confidential OAuth
Analysis Summary
# Vulnerability: RabbitMQ OAuth Secret Leak and Metadata Exposure
## CVE Details
- **CVE ID:** CVE-2026-57219, CVE-2026-57221
- **CVSS Score:**
- CVE-2026-57219: 8.7 (High)
- CVE-2026-57221: 5.3 (Medium)
- **CWE:** Missing Authorization; Information Exposure
## Affected Systems
- **Products:** RabbitMQ Message Broker
- **Versions:** 3.13.0 and later (all versions prior to the patches listed below)
- **Configurations:**
- **CVE-2026-57219:** Specifically impacts installations where OAuth 2 is configured using the `management.oauth_client_secret` configuration key.
- **CVE-2026-57221:** Impacts multi-tenant environments where users have access to specific virtual hosts.
## Vulnerability Description
Researchers from Miggo discovered two access control flaws in the RabbitMQ codebase:
1. **CVE-2026-57219:** An obsolete HTTP API endpoint (`GET /api/auth`) fails to perform proper authorization checks. It is hard-coded to allow requests without authentication, resulting in the disclosure of the broker’s confidential OAuth client secret. An attacker can use this secret to obtain an administrator token, leading to a full broker takeover.
2. **CVE-2026-57221:** A missing authorization check allows any authenticated user connected to a virtual host to bypass permission boundaries. They can enumerate all queue and exchange names and view message/consumer counts across other tenants in that virtual host.
## Exploitation
- **Status:** No evidence of active exploitation in the wild prior to disclosure; PoC details disclosed by researchers.
- **Complexity:**
- CVE-2026-57219: Low (Single unauthenticated request)
- CVE-2026-57221: Low (Requires valid login credentials)
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Full leak of OAuth secrets and tenant metadata)
- **Integrity:** High (Potential for full broker takeover and modification of settings/messages)
- **Availability:** High (Attacker can gain administrative control to disrupt services)
## Remediation
### Patches
The flaws have been addressed in the following RabbitMQ versions:
- 4.3.0
- 4.2.6
- 4.1.11
- 4.0.20
- 3.13.15
### Workarounds
- **Rotate Secrets:** Immediately rotate the OAuth client secret if the management interface was reachable over the internet.
- **Network Restriction:** Limit access to port 15672 (Management UI) to trusted internal networks only.
- **Firewalling:** Implement rules to block access specifically to the `GET /api/auth` endpoint.
- **Tenant Isolation:** Ensure strict separation of tenants by virtual host.
## Detection
- **Indicators of Compromise:** Unusual administrative logins or token exchanges originating from the management API. Monitoring for requests to the `/api/auth` endpoint from unauthorized or external IP addresses.
- **Detection methods and tools:** Audit HTTP access logs for the RabbitMQ Management plugin. Conduct vulnerability scans to identify if the management UI is exposed to the public internet.
## References
- [https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-pj24-8j6m-vq9q]
- [https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-9q2j-2hq8-22r2]
- [https://thehackernews.com/2026/07/rabbitmq-flaws-could-leak-oauth-secrets.html]