DarkReading

CVE-2026-5721 RabbitMQ Vulnerability Exposes OAuth Secrets


A newly disclosed RabbitMQ vulnerability, tracked as CVE-2026-5721, has raised concerns among enterprise users after researchers revealed that the flaw could allow unauthenticated attackers to retrieve a broker’s confidential OAuth client secret. The successful exploitation could enable attackers to impersonate the broker, obtain administrator-level access, and potentially take control of the messaging infrastructure. 

CVE-2026-5721 Allows Exposure of OAuth Client Secrets 

RabbitMQ, a widely used open source message broker that enables asynchronous communication by routing, buffering, and distributing messages between applications, is affected by the issue. The CVE-2026-5721 flaw carries a CVSS severity score of 8.7 and stems from an exposed management endpoint that returns the OAuth client secret without requiring authentication. 

The RabbitMQ vulnerability originates from an obsolete endpoint in the platform’s management web interface. It can be exploited when administrators configure the broker with a confidential password for identity provider authentication.  

The risk is particularly significant in deployments using OAuth 2.0 or OpenID Connect identity providers such as Auth0, Azure AD/Entra ID, Keycloak, or UAA, where confidential client secrets are commonly configured. In such environments, attackers exploiting CVE-2026-5721 could obtain administrator tokens and gain control over users, queues, messages, and broker configurations. 

Which RabbitMQ Deployments Are at Risk? 

However, systems without a configured client secret are not vulnerable because there is no credential to expose. Likewise, RabbitMQ deployments that do not use the management plugin are unaffected by this RabbitMQ vulnerability. 

Cybersecurity firm Miggo warned that the highest risk exists when the management interface is accessible from untrusted networks. The risk is sharpest wherever the management port is reachable by an untrusted network: cloud or multi-tenant setups, or a management UI accidentally exposed to the internet,” the company said. 

The CVE-2026-5721 flaw was introduced in RabbitMQ version 3.13.0 in early 2024. It has since been patched in versions 4.3.0, 4.2.6, 4.1.11, 4.0.20, and 3.13.15. 

Patches Also Address a Second Security Flaw 

The security updates also fix CVE-2026-57221, a medium-severity vulnerability with a CVSS score of 5.3. This authorization issue allows any authenticated user to enumerate queues and exchanges while viewing related statistics. According to Miggo, attackers could use the flaw to map an organization’s virtual host, infer business activity, and collect intelligence for future attacks, particularly in multi-tenant environments where multiple teams or applications share the same virtual host. 

To reduce exposure to the RabbitMQ vulnerability, organizations are advised to update affected deployments immediately, restrict access to vulnerable systems if patching cannot be performed, prevent public exposure of the management interface, implement network segmentation, and rotate OAuth client secrets.  

Although there is currently no evidence that CVE-2026-5721 has been exploited in the wild, Miggo noted, “Neither of these RabbitMQ bugs is exotic. They sat in the codebase for over two years. They are precisely the kind of quiet, systemic inconsistency that hides in mature, widely deployed software: the kind a human reviewer reads past, and a single-pass tool fails to compare against everything around it.” 



Source link