
The problem was assigned a high severity score of CVSS 8.7 out of 10, and was fixed in the versions 3.13.15, 4.0.20, 4.1.11, and 4.2.6.
RabbitMQ reportedly addressed the issue by removing the obsolete endpoint altogether, instead delivering OAuth configuration through an authenticated bootstrap mechanism that no longer exposes the client secret over HTTP.
According to Miggo, successful exploitation could allow attackers to access or modify messages, create users, alter broker configuration, and effectively compromise the messaging layer supporting enterprise applications. The company recommended organizations to upgrade immediately, rotate any exposed OAuth client secrets after patching, and ensure the management interface is never exposed to untrusted networks.
