Skip to main content

rabbitmq-aws CVE-2026-9133

| EUVDEUVD-2026-31181 HIGH
Active Debug Code (CWE-489)
2026-05-20 AMZN
8.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.3 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
May 20, 2026 - 20:31 vuln.today
Analysis Generated
May 20, 2026 - 20:31 vuln.today
CVSS changed
May 20, 2026 - 20:22 NVD
7.7 (HIGH) 8.3 (HIGH)

DescriptionCVE.org

Active debug code exists in the ARN resolver of amazon-mq rabbitmq-aws before version 0.2.1. A debug ARN scheme (arn:aws-debug:file) accepted by the PUT /api/aws/arn/validate validation endpoint might allow remote authenticated users to perform arbitrary file reads on any file accessible to the RabbitMQ process.

To remediate this issue, customers should upgrade to version 0.2.1 of rabbitmq-aws. If RabbitMQ is configured to use TLS for connections, we also recommend rotating any associated private certificate keys.

AnalysisAI

Arbitrary file read in amazon-mq rabbitmq-aws before 0.2.1 allows authenticated remote users to read any file accessible to the RabbitMQ process by submitting a crafted arn:aws-debug:file scheme to the PUT /api/aws/arn/validate validation endpoint. The flaw stems from leftover debug code in the ARN resolver and was reported by AWS itself; no public exploit has been identified at time of analysis and the issue is not listed in CISA KEV.

Technical ContextAI

rabbitmq-aws is the Amazon MQ integration library for RabbitMQ that resolves AWS resource identifiers (ARNs) used for cluster configuration and AWS service interactions. The vulnerability falls under CWE-489 (Active Debug Code): a non-production ARN scheme, arn:aws-debug:file, was left wired into the production ARN resolver and reachable through the PUT /api/aws/arn/validate endpoint, where the validation routine evidently dereferences the path component and returns file contents instead of restricting input to legitimate AWS ARN schemes. Affected component per NVD CPE is cpe:2.3:a:aws:rabbitmq_aws, and the upstream 0.2.1 release notes explicitly call out 'Remove debug ARN format' as the fix.

RemediationAI

Vendor-released patch: rabbitmq-aws 0.2.1, available at https://github.com/amazon-mq/rabbitmq-aws/releases/tag/0.2.1, whose release notes confirm removal of the debug ARN format. Upgrade all RabbitMQ nodes using this plugin to 0.2.1 or later, and, as AWS specifically recommends, rotate any private TLS certificate keys associated with RabbitMQ connections because those keys may have been disclosed via the file-read primitive prior to patching. If immediate upgrade is not possible, restrict network access to the RabbitMQ management/API plane so that PUT /api/aws/arn/validate is reachable only from trusted administrative networks and audit existing low-privilege management accounts; this reduces exposure but does not eliminate risk from any user who already holds management credentials, and is not a substitute for upgrading. Consult the AWS advisory at https://aws.amazon.com/security/security-bulletins/2026-034-aws/ and GHSA-8554-wg4r-7hxm for the authoritative guidance.

Share

CVE-2026-9133 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy