A high-severity vulnerability in RabbitMQ tracked as CVE-2026-5721 (CVSS 8.7) allows unauthenticated attackers to steal OAuth secrets from the message broker’s management interface, potentially granting full administrator control over queues, messages, and user accounts.
An obsolete endpoint leaks the keys
Cybersecurity firm Miggo discovered the flaw in a deprecated endpoint of RabbitMQ’s web management UI. In configurations where administrators set up OAuth 2/OIDC providers such as Auth0, Azure AD, Keycloak, or UAA, anyone who can reach the management port can retrieve the broker’s OAuth client secret without authentication.
“Anyone who could reach the management port could fetch it, then impersonate the broker to the identity provider and obtain an administrator token,” Miggo said. The risk is highest in cloud or multi-tenant setups and any deployment where the management UI is accidentally exposed to the internet.
Patches available after two-year window
The bug was introduced in RabbitMQ version 3.13.0 in early 2024 and sat undetected for over two years. Patches are available in versions 4.3.0, 4.2.6, 4.1.11, 4.0.20, and 3.13.15. A second flaw, CVE-2026-57221 (CVSS 5.3), allows authenticated users to enumerate queues and exchanges.
Miggo said neither bug is exotic: “They sat in the codebase for over two years. They are precisely the kind of quiet, systemic inconsistency that hides in mature, widely deployed software.” Organizations should patch immediately, block access to the management interface, and rotate OAuth client secrets.
