Two Security Flaws in RabbitMQ Could Let Attackers Steal Login Secrets and Take Over Corporate Messaging Systems

A widely used software tool that moves data between business applications has patched two vulnerabilities, one of which could hand criminals full control over the system without a password.

ThreatVectr Newsdesk· 3 min read
Photoreal news-editorial 16:9 photograph of a dense tangle of illuminated fibre-optic cables running through a dark server room, cool blue and amber light catch
Share

Key points

  • RabbitMQ, downloaded more than 15 million times a year, patched two security flaws discovered by researchers at Miggo Security.
  • The more serious flaw, CVE-2026-57219, scored 8.7 out of 10 for severity and let anyone on the network steal an authentication secret without logging in.
  • Fixed versions are 3.13.15, 4.0.20, 4.1.11, and 4.2.6, released to cover all supported branches of the software.
  • A second flaw, CVE-2026-57221, let low-privileged users map internal systems they were never supposed to see.
  • Broadcom's Tanzu division maintains RabbitMQ and did not respond to a request for comment first reported by CSO Online.

RabbitMQ is plumbing. Not exciting plumbing, but essential plumbing: it is the open-source software, meaning software whose code is freely available and shared, that shuttles data between different parts of a business application. Orders, payments, login events, internal notifications. If your company's systems talk to each other, something like RabbitMQ is probably in the middle.

Two vulnerabilities in that software have now been patched. Researchers at Miggo Security found both. Neither is a ransomware incident. Both are the kind of quiet, structural flaw that makes future attacks much easier.

How did the hackers get in?

They did not need to "get in" in the traditional sense. The first flaw, CVE-2026-57219, a vulnerability that let anyone reach a hidden doorway in RabbitMQ's admin interface and walk out with a confidential key, required no password at all. An old, forgotten management endpoint called GET/api/auth was still answering requests from the open network. It handed out RabbitMQ's OAuth client secret, which is a private credential used to prove the software's identity to login providers like Microsoft Entra ID or Auth0. With that secret, a criminal could generate an administrator token and take full control of the broker.

Full control means reading messages, changing settings, creating users, and altering the configuration of every application that relies on the system. Miggo scored the flaw 8.7 out of 10 for severity. The fix was blunt and sensible: the obsolete endpoint was deleted entirely.

The second flaw, CVE-2026-57221, is an authorisation bypass, meaning a check that should have blocked low-level users from seeing certain information was simply skipped. Attackers still needed valid credentials to exploit it. Even so, an account with no real permissions could see whether message queues and exchanges (the internal channels data travels through) existed, how many messages were waiting, and how busy the system was. No message contents were exposed, and nothing could be changed. But that kind of map can help criminals plan a more targeted attack later.

Both flaws affect RabbitMQ releases going back to version 3.13.0, introduced in early 2024.

What should organisations do right now? Upgrade to a patched version: 3.13.15, 4.0.20, 4.1.11, or 4.2.6. After patching, rotate any OAuth client secrets that may have been exposed. Keep the RabbitMQ management interface off public or untrusted networks. Until patching is complete, isolate separate customers or departments into their own virtual hosts inside the software.

Ordinary customers of businesses running RabbitMQ are not directly at risk from these flaws. But if a criminal did exploit CVE-2026-57219 and took control of a broker, the data those systems carry, including order and payment information, could be at risk downstream.

© 2026 Threat Vectr