Severity by source
Sources disagree (Medium–Critical)AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Remote unauthenticated static handler (AV:N/PR:N/UI:N) but gated by Windows plus non-default multi-plugin config (AC:H); impact is DNS/SMB coercion and NetNTLM leak, so C:H with no integrity, availability, or scope change.
vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
9DescriptionNVD
RabbitMQ is a messaging and streaming broker. Prior to 4.1.11 and 4.2.6 on Windows, the RabbitMQ management plugin static file handler rabbit_mgmt_wm_static can pass URL-encoded backslashes to erl_prim_loader:read_file_info before path validation when multiple management extension plugins are enabled, causing outbound DNS and SMB requests to attacker-controlled UNC paths. This issue is fixed in versions 4.1.11 and 4.2.6.
AnalysisAI
Server-side request forgery and NTLM credential exposure in the RabbitMQ management plugin (versions 4.1.0 to before 4.1.11 and 4.2.0 to before 4.2.6) on Windows lets remote actors coerce the broker into outbound DNS and SMB connections to attacker-controlled UNC paths. The static file handler rabbit_mgmt_wm_static passes URL-encoded backslashes to erl_prim_loader:read_file_info before path validation, but only when multiple management extension plugins are enabled. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target to be running RabbitMQ on Windows (UNC/SMB path semantics do not apply on Linux or macOS) and to have MULTIPLE management extension plugins enabled - the vulnerable rabbit_mgmt_wm_static code path only mishandles the URL-encoded backslash under that plugin arrangement, which is not the default configuration. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals conflict sharply. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can reach the RabbitMQ management HTTP endpoint on a Windows host sends a crafted static-file request whose path contains URL-encoded backslashes pointing to a UNC path such as \\attacker.example.com\share\file. The Windows host resolves the attacker's hostname and opens an SMB connection to it before path validation, leaking a DNS query and the machine's NetNTLM authentication material for capture or relay. … |
| Remediation | Vendor-released patch: upgrade to RabbitMQ 4.1.11 or 4.2.6 (or later), as delivered in commits 39c3a8e9c71da0403d8dfc13f700e60c936e3682 and 6730797f6a34b4e8308cea60adf1243857e70204 and PR https://github.com/rabbitmq/rabbitmq-server/pull/15803, with the fixed 4.2.6 release at https://github.com/rabbitmq/rabbitmq-server/releases/tag/v4.2.6 and details in advisory https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-7v84-m3g5-vxq6. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, audit all Windows-deployed RabbitMQ installations to identify instances running affected versions (4.1.0-4.1.10 or 4.2.0-4.2.5) with multiple management extension plugins enabled. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Rabbitmq Server
View allPivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x ver
An issue was discovered in Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x before 3.6.6 and RabbitMQ for PCF 1.5.x before 1.
RabbitMQ is a messaging and streaming broker. In versions 3.13.7 and prior, RabbitMQ is logging authorization headers in
Sensitive credential disclosure in RabbitMQ affects installations running the management plugin with OAuth 2 configured
An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions p
RabbitMQ installers on Windows prior to version 3.8.16 do not harden plugin directory permissions, potentially allowing
Memory-exhaustion denial of service in RabbitMQ server prior to 4.2.6 allows an unauthenticated remote client to crash o
Stored cross-site scripting in the RabbitMQ management UI (versions prior to 4.2.5) lets a user holding queue/exchange d
Uncontrolled resource consumption in the RabbitMQ Management plugin's HTTP API lets an authenticated client crash or deg
Authorization bypass in RabbitMQ topic permissions lets an authenticated user with restricted topic rights publish to or
Improper authorization in RabbitMQ broker (versions prior to 3.13.15, 4.0.20, 4.1.11, and 4.2.6) allows an authenticated
Authentication bypass in RabbitMQ (broker versions prior to 3.13.15, 4.0.20, 4.1.11, and 4.2.6) lets a loopback-restrict
Same weakness CWE-36 – Absolute Path Traversal
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43016