Skip to main content

RabbitMQ MQTT Plugin EUVDEUVD-2026-32548

| CVE-2026-44838 MEDIUM
Incorrect Authorization (CWE-863)
2026-05-27 security-advisories@github.com
5.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
May 27, 2026 - 21:16 vuln.today
Patch available
May 27, 2026 - 19:46 EUVD

DescriptionGitHub Advisory

RabbitMQ is a messaging and streaming broker. From 4.2.0 to before 4.2.4, RabbitMQ's MQTT plugin allows for topic-level authorization using regular expressions with variable substitution. Administrators can create patterns such as ^{client_id}-sensors$ to restrict user access to topics that include their client ID. However, the client_id is provided by the user in the MQTT CONNECT packet and is inserted into the regex pattern without escaping special regex characters. This flaw enables an authenticated MQTT user to inject regex operators to bypass authorization. This vulnerability is fixed in 4.2.4 and 4.3.0.

AnalysisAI

{client_id}-sensors$', the unsanitized client_id value is embedded directly into the server-side regex, letting a crafted client_id (e.g., '.*' or 'legit|(admin)') alter the pattern's matching logic and grant access to topics the user should not reach. No public exploit has been identified at time of analysis, and the attack requires both valid MQTT credentials and a specifically configured authorization policy, but the high subsequent system impact (SC:H/SI:H per CVSS 4.0) elevates this beyond a simple medium-severity finding for affected deployments.

Technical ContextAI

RabbitMQ is an open-source message broker supporting AMQP, MQTT, STOMP, and other protocols. The MQTT plugin implements topic-level access control through regex-based authorization policies with runtime variable substitution - administrators write patterns like '^{client_id}-sensors$' where '{client_id}' is replaced at connection time with the value the MQTT client sends in the CONNECT packet. The root cause is CWE-863 (Incorrect Authorization), specifically a failure to escape regex metacharacters before interpolating untrusted user input into a security-enforcing pattern. This is structurally identical to injection vulnerabilities in SQL or shell contexts: the authorization boundary collapses because the system conflates user-controlled data with pattern-control syntax. The CVSS 4.0 AT:P (Attack Target: Particular) metric correctly reflects that exploitation requires this specific feature to be configured. Affected versions per EUVD data: rabbitmq-server 4.2.0 up to but not including 4.2.4.

RemediationAI

The primary fix is upgrading RabbitMQ to version 4.2.4 or 4.3.0, both confirmed by the vendor as containing the patch per the GitHub Security Advisory GHSA-x866-xp2g-cx8v. If immediate upgrade is not possible, the most targeted compensating control is to audit and temporarily rewrite MQTT topic authorization policies to avoid variable substitution patterns entirely - replacing patterns like '^{client_id}-sensors$' with explicit, fully literal topic ACLs or with per-user vhost-level access controls that do not rely on runtime regex interpolation. This eliminates the injection surface without disabling MQTT connectivity. A secondary option is to enforce strict client_id format validation at the network or application layer (e.g., via a reverse proxy or connection firewall rule) to reject client_ids containing regex metacharacters ('.', '*', '(', ')', '[', ']', '^', '$', '|', '+'). Note that this approach requires ongoing maintenance as new metacharacters or encoding variants emerge. The GitHub advisory at https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-x866-xp2g-cx8v should be consulted for any additional vendor guidance.

CVE-2019-11287 HIGH POC
7.5 Nov 23

Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x ver

CVE-2016-9877 CRITICAL
9.8 Dec 29

An issue was discovered in Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x before 3.6.6 and RabbitMQ for PCF 1.5.x before 1.

CVE-2025-50200 MEDIUM POC
5.5 Jun 19

RabbitMQ is a messaging and streaming broker. In versions 3.13.7 and prior, RabbitMQ is logging authorization headers in

CVE-2026-57219 HIGH
8.7 Jul 10

Sensitive credential disclosure in RabbitMQ affects installations running the management plugin with OAuth 2 configured

CVE-2017-4966 HIGH
7.8 Jun 13

An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions p

CVE-2021-22117 HIGH
7.8 May 18

RabbitMQ installers on Windows prior to version 3.8.16 do not harden plugin directory permissions, potentially allowing

CVE-2026-57220 HIGH
7.5 Jul 10

Memory-exhaustion denial of service in RabbitMQ server prior to 4.2.6 allows an unauthenticated remote client to crash o

CVE-2026-57214 HIGH
7.1 Jul 10

Stored cross-site scripting in the RabbitMQ management UI (versions prior to 4.2.5) lets a user holding queue/exchange d

CVE-2026-57212 HIGH
7.1 Jul 10

Uncontrolled resource consumption in the RabbitMQ Management plugin's HTTP API lets an authenticated client crash or deg

CVE-2026-57217 HIGH
7.0 Jul 10

Authorization bypass in RabbitMQ topic permissions lets an authenticated user with restricted topic rights publish to or

CVE-2026-57215 HIGH
7.0 Jul 10

Improper authorization in RabbitMQ broker (versions prior to 3.13.15, 4.0.20, 4.1.11, and 4.2.6) allows an authenticated

CVE-2026-57216 CRITICAL
10.0 Jul 10

Authentication bypass in RabbitMQ (broker versions prior to 3.13.15, 4.0.20, 4.1.11, and 4.2.6) lets a loopback-restrict

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed

Share

EUVD-2026-32548 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy