A Hidden Door in RabbitMQ Left Company Systems Wide Open for Two Years

A flaw in the popular messaging software handed anyone on the network a master key to company data. Patches are out. Use them now.

ThreatVectr Newsdesk· 3 min read
Photoreal news-editorial style, 16:9 framing, full-frame edge-to-edge composition
Share

Key points

  • CVE-2026-5721, rated 8.7 out of 10 for severity, allowed anyone who could reach RabbitMQ's management port to silently steal an authentication secret without logging in.
  • The flaw was introduced in RabbitMQ version 3.13.0 in early 2024 and sat undetected for over two years.
  • Fixed versions 4.3.0, 4.2.6, 4.1.11, 4.0.20, and 3.13.15 were released after cybersecurity firm Miggo reported the issue.
  • A second, lower-severity flaw, CVE-2026-57221, let any logged-in user silently map the internal structure of a company's messaging system.
  • There is no evidence either flaw has been used in real attacks yet.

RabbitMQ is a piece of software that acts like a postal sorting office for company computer systems. Applications drop messages into it, and it routes them to the right destination. Banks, hospitals, retailers and cloud platforms use it constantly, often invisibly. If it fails or gets broken into, the damage can ripple across an entire organisation.

Security firm Miggo found a quiet but serious problem sitting inside it.

The flaw, tracked as CVE-2026-5721 (a security-flaw identifier maintained by the US National Vulnerability Database), lived in an old, forgotten endpoint inside RabbitMQ's management web interface. An endpoint is simply a web address the software responds to, like a door in a building. This particular door had no lock.

How bad could this actually get?

Bad, if your setup uses a standard identity system. Many companies connect RabbitMQ to an identity provider, a service that checks who you are before letting you in, such as Microsoft Azure Active Directory, Auth0, or Keycloak. To do that, RabbitMQ holds a shared secret, essentially a password that proves it is talking to the right identity service.

This forgotten endpoint handed that secret to anyone who asked. No username required. No password required. Just ask.

Once an attacker had the secret, they could pretend to be RabbitMQ itself, convince the identity provider they were legitimate, and collect an administrator token. An administrator token is a digital pass that grants full control: read messages, change settings, manage user accounts, empty or redirect queues. Everything.

Miggo described the risk plainly: cloud environments, multi-tenant setups where multiple companies share the same system, and any installation where the management interface was accidentally left visible on the public internet were all exposed.

The bug only bites if a client secret was configured. Deployments with no secret set, and those running without the management plugin at all, are safe.

A second flaw, CVE-2026-57221 (rated 5.3 out of 10), let any authenticated user, not just administrators, browse the internal layout of the messaging system. Think of it as letting a regular office visitor read the floor plan of a secure building. Useful intelligence for planning something worse later.

Patched versions are available now. As SecurityWeek reported, organisations should update immediately, block outside access to the management port if patching is not yet possible, and rotate, meaning replace, their OAuth client secret.

Miggo put it well: these bugs are not clever. They are the kind of quiet inconsistency that hides in mature, widely used software for years, read past by human reviewers and missed by automated scanners alike. Two years is a long time for an unlocked door.

© 2026 Threat Vectr