Critical RabbitMQ bug exposes OAuth secrets to unauthenticated attackers

A high-severity flaw in RabbitMQ lets attackers steal OAuth secrets from the management interface without authentication.

CSBadmin
2 Min Read

A high-severity vulnerability in RabbitMQ tracked as CVE-2026-5721 (CVSS 8.7) allows unauthenticated attackers to steal OAuth secrets from the message broker’s management interface, potentially granting full administrator control over queues, messages, and user accounts.

An obsolete endpoint leaks the keys

Cybersecurity firm Miggo discovered the flaw in a deprecated endpoint of RabbitMQ’s web management UI. In configurations where administrators set up OAuth 2/OIDC providers such as Auth0, Azure AD, Keycloak, or UAA, anyone who can reach the management port can retrieve the broker’s OAuth client secret without authentication.

“Anyone who could reach the management port could fetch it, then impersonate the broker to the identity provider and obtain an administrator token,” Miggo said. The risk is highest in cloud or multi-tenant setups and any deployment where the management UI is accidentally exposed to the internet.

Patches available after two-year window

The bug was introduced in RabbitMQ version 3.13.0 in early 2024 and sat undetected for over two years. Patches are available in versions 4.3.0, 4.2.6, 4.1.11, 4.0.20, and 3.13.15. A second flaw, CVE-2026-57221 (CVSS 5.3), allows authenticated users to enumerate queues and exchanges.

Miggo said neither bug is exotic: “They sat in the codebase for over two years. They are precisely the kind of quiet, systemic inconsistency that hides in mature, widely deployed software.” Organizations should patch immediately, block access to the management interface, and rotate OAuth client secrets.

CSBadmin

The latest in cybersecurity news and updates.

Share This Article
Follow:
The latest in cybersecurity news and updates.