Skip to main content

RabbitMQ CVE-2026-57215

| EUVDEUVD-2026-43022 HIGH
Incorrect Authorization (CWE-863)
2026-07-10 GitHub_M
7.0
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.0 HIGH
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.3 MEDIUM

Authenticated client (PR:L) over the network (AV:N) exploiting a timing/route-persistence race (AC:H) to read another client's replies, crossing a trust boundary (S:C) with confidentiality-only impact (C:H, I:N, A:N).

3.1 AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
4.0 AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 10, 2026 - 22:02 EUVD
Analysis Generated
Jul 10, 2026 - 21:25 vuln.today

DescriptionCVE.org

RabbitMQ is a messaging and streaming broker. Prior to 3.13.15, 4.0.20, 4.1.11, and 4.2.6, RabbitMQ allows foreign bindings to amq.rabbitmq.reply-to destinations because volatile direct-reply-to queues can be accepted at bind and route time but are missing from Khepri-backed deletion checks, leaving persistent route entries after unbind. This issue is fixed in versions 3.13.15, 4.0.20, 4.1.11, and 4.2.6.

AnalysisAI

Improper authorization in RabbitMQ broker (versions prior to 3.13.15, 4.0.20, 4.1.11, and 4.2.6) allows an authenticated client to create foreign bindings against another connection's volatile amq.rabbitmq.reply-to (direct reply-to) destination, so persistent route entries survive after unbind and can leak RPC reply traffic intended for other clients. The flaw stems from Khepri-backed deletion checks that omit these volatile pseudo-queues, letting stale routes persist. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to broker with valid credentials
Delivery
Declare foreign binding to victim's amq.rabbitmq.reply-to
Exploit
Stale route persists past unbind in Khepri
Execution
Capture RPC reply messages meant for other client
Impact
Disclose confidential response data

Vulnerability AssessmentAI

Exploitation Requires an authenticated broker connection (CVSS PR:L) with permission to declare bindings within a virtual host shared with the victim's RPC workload, and the deployment must use the direct reply-to pattern via the amq.rabbitmq.reply-to pseudo-destination with the Khepri metadata store. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 4.0 score is 7.0 (High) with vector AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N - network-reachable but requiring low-level authentication (PR:L) and, importantly, high attack complexity (AC:H), with impact limited to confidentiality of the vulnerable system (VC:H) and a subsequent-system confidentiality impact (SC:H), and no integrity or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker holding valid broker credentials in a multi-tenant RabbitMQ deployment binds a queue of their own to another client's amq.rabbitmq.reply-to destination; because the volatile route entry is not cleaned up in Khepri's deletion checks, the foreign binding persists and the attacker receives RPC reply messages intended for the legitimate requester, disclosing confidential response data. No public POC is referenced, and the high attack complexity means the attacker must satisfy timing/route-persistence conditions to reliably capture replies.
Remediation Vendor-released patch: upgrade to RabbitMQ 3.13.15, 4.0.20, 4.1.11, or 4.2.6 (or later) depending on your branch - these are the exact fixed versions named by the vendor. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all RabbitMQ deployments and determine which versions run versions prior to 3.13.15, 4.0.20, 4.1.11, and 4.2.6. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2019-11287 HIGH POC
7.5 Nov 23

Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x ver

CVE-2016-9877 CRITICAL
9.8 Dec 29

An issue was discovered in Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x before 3.6.6 and RabbitMQ for PCF 1.5.x before 1.

CVE-2025-50200 MEDIUM POC
5.5 Jun 19

RabbitMQ is a messaging and streaming broker. In versions 3.13.7 and prior, RabbitMQ is logging authorization headers in

CVE-2026-57219 HIGH
8.7 Jul 10

Sensitive credential disclosure in RabbitMQ affects installations running the management plugin with OAuth 2 configured

CVE-2017-4966 HIGH
7.8 Jun 13

An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions p

CVE-2021-22117 HIGH
7.8 May 18

RabbitMQ installers on Windows prior to version 3.8.16 do not harden plugin directory permissions, potentially allowing

CVE-2026-57220 HIGH
7.5 Jul 10

Memory-exhaustion denial of service in RabbitMQ server prior to 4.2.6 allows an unauthenticated remote client to crash o

CVE-2026-57214 HIGH
7.1 Jul 10

Stored cross-site scripting in the RabbitMQ management UI (versions prior to 4.2.5) lets a user holding queue/exchange d

CVE-2026-57212 HIGH
7.1 Jul 10

Uncontrolled resource consumption in the RabbitMQ Management plugin's HTTP API lets an authenticated client crash or deg

CVE-2026-57217 HIGH
7.0 Jul 10

Authorization bypass in RabbitMQ topic permissions lets an authenticated user with restricted topic rights publish to or

CVE-2026-57216 CRITICAL
10.0 Jul 10

Authentication bypass in RabbitMQ (broker versions prior to 3.13.15, 4.0.20, 4.1.11, and 4.2.6) lets a loopback-restrict

CVE-2026-57211 CRITICAL
10.0 Jul 10

Server-side request forgery and NTLM credential exposure in the RabbitMQ management plugin (versions 4.1.0 to before 4.1

Share

CVE-2026-57215 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy