Skip to main content

RabbitMQ Management CVE-2026-44839

| EUVDEUVD-2026-32549 MEDIUM
Basic XSS (CWE-80)
2026-05-27 security-advisories@github.com
5.6
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.6 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
6.2 MEDIUM
AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N
Red Hat
3.5 LOW
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
A
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
May 27, 2026 - 21:16 vuln.today
Analysis Generated
May 27, 2026 - 21:16 vuln.today
Patch available
May 27, 2026 - 19:46 EUVD

DescriptionGitHub Advisory

RabbitMQ is a messaging and streaming broker. From 3.7.0 to before 4.1.2 and 4.0.13, This vulnerability is fixed in 4.1.2 and 4.0.13.

AnalysisAI

Stored cross-site scripting (XSS) in the RabbitMQ Management Plugin web UI allows a high-privileged authenticated attacker to inject malicious script content that executes in the browser of another administrative user viewing the affected page. Affected deployments span RabbitMQ Server 3.7.0 through 4.0.12 and 4.1.0-alpha through 4.1.1. No public exploit code or active exploitation has been identified at time of analysis; however, successful exploitation can result in high confidentiality impact, consistent with session token theft or credential harvesting within the management console.

Technical ContextAI

RabbitMQ Server's Management Plugin (rabbitmq_management) provides an HTTP-based administrative web UI built on Erlang/OTP with Cowboy as the HTTP server and EJS (Embedded JavaScript) templates for client-side rendering. The vulnerability is rooted in CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page), a subtype of reflected/stored XSS. Examination of the commit diff for the fix (7f54319) reveals that EJS templates in vhost.ejs and vhosts.ejs rendered user-controlled values - specifically vhost names and node names - using <%= %> interpolation within HTML attribute contexts (form hidden input values). When a vhost name containing script-bearing HTML characters was stored and subsequently rendered for a different admin session, the browser would interpret the injected content. The fix introduces the vhost restart UI feature alongside corrected template rendering. Affected CPE strings cover rabbitmq-server from 3.7.0 through the patched releases.

RemediationAI

Vendor-released patches are available: upgrade to RabbitMQ Server 4.0.13 (for the 4.0.x line) or 4.1.2 (for the 4.1.x line). Patch details and release artifacts are referenced via the GitHub Security Advisory at https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-fh5r-jpm3-fjwp and the fix commit at https://github.com/rabbitmq/rabbitmq-server/commit/7f54319279d1ece161ae0b4cdc6f0e58a4045eb5. For deployments that cannot patch immediately, restrict network access to the management UI port (default 15672) to trusted administrative hosts only, using firewall rules or a reverse proxy with IP allowlisting - this eliminates the AV:N attack vector. Additionally, enforce the principle of least privilege by ensuring only essential, individually-accountable accounts hold administrator roles, which reduces the probability that an attacker could acquire the PR:H credentials needed for exploitation. Note that disabling the management plugin entirely is a functional workaround but removes all web-based administration capabilities.

CVE-2019-11287 HIGH POC
7.5 Nov 23

Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x ver

CVE-2016-9877 CRITICAL
9.8 Dec 29

An issue was discovered in Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x before 3.6.6 and RabbitMQ for PCF 1.5.x before 1.

CVE-2025-50200 MEDIUM POC
5.5 Jun 19

RabbitMQ is a messaging and streaming broker. In versions 3.13.7 and prior, RabbitMQ is logging authorization headers in

CVE-2026-57219 HIGH
8.7 Jul 10

Sensitive credential disclosure in RabbitMQ affects installations running the management plugin with OAuth 2 configured

CVE-2017-4966 HIGH
7.8 Jun 13

An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions p

CVE-2021-22117 HIGH
7.8 May 18

RabbitMQ installers on Windows prior to version 3.8.16 do not harden plugin directory permissions, potentially allowing

CVE-2026-57220 HIGH
7.5 Jul 10

Memory-exhaustion denial of service in RabbitMQ server prior to 4.2.6 allows an unauthenticated remote client to crash o

CVE-2026-57214 HIGH
7.1 Jul 10

Stored cross-site scripting in the RabbitMQ management UI (versions prior to 4.2.5) lets a user holding queue/exchange d

CVE-2026-57212 HIGH
7.1 Jul 10

Uncontrolled resource consumption in the RabbitMQ Management plugin's HTTP API lets an authenticated client crash or deg

CVE-2026-57217 HIGH
7.0 Jul 10

Authorization bypass in RabbitMQ topic permissions lets an authenticated user with restricted topic rights publish to or

CVE-2026-57215 HIGH
7.0 Jul 10

Improper authorization in RabbitMQ broker (versions prior to 3.13.15, 4.0.20, 4.1.11, and 4.2.6) allows an authenticated

CVE-2026-57216 CRITICAL
10.0 Jul 10

Authentication bypass in RabbitMQ (broker versions prior to 3.13.15, 4.0.20, 4.1.11, and 4.2.6) lets a loopback-restrict

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed

Share

CVE-2026-44839 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy