RabbitMQ shipped fixes on July 13, 2026 for two access-control flaws, and the way they were rated points defenders at the wrong one first. The high-severity bug, CVE-2026-57219 at CVSS 8.7, can hand an attacker full control of the broker. It only fires under a configuration most operators never set. The low-severity bug, CVE-2026-57221 at CVSS 5.3, needs nothing special and touches a much larger set of installs. Triage by the number in the advisory and you will patch in the wrong order.
Both were found by the security firm Miggo, whose automated analysis flagged them, and both were reported before any public exploitation. RabbitMQ is a message broker: back-of-house plumbing that moves work between the parts of an application. It is common in self-hosted stacks and quietly bundled inside appliances and container images. That last part is why this one lingers past patch day.
The severity ratings point the wrong way
CVE-2026-57219 lives in an obsolete management endpoint, GET /api/auth, that answered anyone with no login at all. According to Miggo, the code behind it was written to approve every caller by default: the one management route that skipped the permission gate its neighbors all enforced. On a broker configured to log into its management interface through an identity provider, the endpoint returned the OAuth client secret (management.oauth_client_secret) to whoever asked. An attacker trades that secret for an administrator token at your identity provider, presents it back to RabbitMQ, and controls every queue, message, user, and setting.
CVE-2026-57221 is smaller and stranger. A passive queue.declare or exchange.declare, the routine "does this exist?" check an application makes, skipped its permission test entirely. Any authenticated user could enumerate the names of every queue and exchange in a virtual host and read their message and consumer counts, regardless of the permissions they were actually granted. No takeover, but a clean map of a neighbor's traffic inside a shared tenant.
| Property | CVE-2026-57219 | CVE-2026-57221 |
|---|---|---|
| Severity | CVSS 8.7 (high) | CVSS 5.3 (moderate) |
| Precondition | Management login wired to OAuth, a client secret set, and the API reachable | Two or more tenants sharing one virtual host |
| Who can trigger it | Anyone, no login | Any authenticated user |
| What they get | The OAuth client secret, then an admin token: full broker control | Queue and exchange names, plus message and consumer counts, across the vhost |
| Typical exposure | The minority that put the management UI behind single sign-on | Most multi-tenant, shared-vhost deployments |
Who the broker-takeover bug can reach
The 8.7 depends on a choice you made. RabbitMQ's default is internal user accounts stored in the broker's own database. OAuth 2 login for the management interface is an opt-in integration you configure against an identity provider. If you never wired that up, there is no management.oauth_client_secret for GET /api/auth to hand out, and the takeover path does not open on your box.
The deployments genuinely in the blast radius did two things: connected the management interface to single sign-on, and left that management API reachable from a network they do not trust. That is a real population, common in larger shops with central identity, but it is not everyone. The "full broker takeover, no login required" framing reads as universal, and for most self-hosted operators running the default internal auth it is not. Check your own config before you panic-rate this a 9.
This is the same shape as the Salesforce connected-app breach we wrote up: the account was never the soft spot, the OAuth trust wired around it was. A leaked client secret is a working key until you rotate it, and it does not care that you have since patched.
The quiet bug is the one most deployments share
Flip the advisory's priority. If you run RabbitMQ with several teams or customers sharing one virtual host, CVE-2026-57221 is your live issue, and it needs only a valid low-privilege account to abuse. Names of queues and exchanges leak intent: a queue called payments.settlement or tenant-1234.exports tells an insider or a compromised low-tier account exactly where the valuable traffic sits, and the message counts show when it moves. That is reconnaissance handed over for free, inside the boundary you thought a permission model was enforcing.
We have seen this class before. A logged-in user reaching across a boundary the product implied was sealed is the same defect behind the Gogs cross-user repo read and Dell's Data Domain overreach. The lesson repeats: a missing authorization check on a "harmless" read is still a tenancy break.
Patching does not tell you whether the secret already left
Here is the part the version-bump advice skips. Because GET /api/auth required no login, an exposed broker leaves no login event to review. There is no failed-auth trail, no session, nothing in the places you would normally look for a break-in, because from the endpoint's point of view nothing was ever unauthorized. The only forensic signal is web-access logging on the management port: requests to /api/auth from addresses that have no business touching it.
So the honest posture for any broker whose management interface was reachable from an untrusted network is assume the secret is gone. Rotate it as if it were stolen, not as a precaution. Reviewing exposed management surfaces and hunting the access logs behind them is exactly the kind of work a threat hunting program should already own, and it is the step that closes this out rather than leaving a valid key in an attacker's pocket. The same holds in reverse for the metadata bug: there is no server-side signal for CVE-2026-57221 at all, so patching is the only real fix there.
Rotate the secret, then inventory every broker
Upgrade first. The flaws reach back to RabbitMQ 3.13.0, introduced in early 2024, and are fixed across five release branches. Move to the fixed build on your line:
| Release branch | Fixed build |
|---|---|
| 4.3.x | 4.3.0 |
| 4.2.x | 4.2.6 |
| 4.1.x | 4.1.11 |
| 4.0.x | 4.0.20 |
| 3.13.x | 3.13.15 |
Then, in order of what pays off:
- If your management interface used OAuth and was reachable off a trusted network, rotate the
management.oauth_client_secretat your identity provider and treat the old value as burned. - Keep the management port,
15672, off any untrusted network. It is an operator surface, not a public one. - Split tenants across separate virtual hosts instead of sharing one, so the metadata bug and its successors have nothing to enumerate.
- Inventory every RabbitMQ you run, including the ones you did not install yourself. Frozen container images, Helm charts pinned to an old chart, and brokers embedded inside appliances all ship 3.13.x and will lag the fix for months. The version bump is easy; finding the copies is the work.
A web-application firewall rule blocking /api/auth buys time on the OAuth leak, but it does nothing for the metadata bug and it is not a substitute for the upgrade. For prioritizing this against the rest of your patch queue, our vulnerability detection guidance covers how KEV status and real exposure, not the raw CVSS, should set the order. That is the whole point of this pair: the 8.7 is narrow, the 5.3 is wide, and the number alone would have you patch them backwards.