A newly disclosed vulnerability in RabbitMQ, the widely used open-source message broker, lets unauthenticated attackers steal the broker’s confidential OAuth client secret — and from there, take full control. Discovered by security firm Miggo, the bug is a serious threat to enterprises running RabbitMQ behind OAuth-based identity providers.
Table of Contents
The Main Flaw: CVE-2026-5721
Tracked as CVE-2026-5721 (CVSS 8.7), the vulnerability lives in an obsolete endpoint in RabbitMQ’s management web interface that returns the OAuth secret to anyone who can reach it — no authentication required.
Here’s the attack chain in plain terms:
- An attacker reaches the exposed management port.
- They fetch the confidential OAuth client secret from the open endpoint.
- They use that secret to impersonate the broker to the identity provider (Auth0, Azure AD/Entra ID, Keycloak, or UAA).
- They obtain an administrator token — gaining control over users, messages, queues, and broker settings.
As Miggo puts it: “Anyone who could reach the management port could fetch it, then… impersonate the broker to the identity provider and obtain an administrator token.”
Who Is (and Isn’t) Affected
| Configuration | At risk? |
|---|---|
| OAuth 2/OIDC provider with a confidential client secret configured | Yes — this is the standard setup |
| No client secret configured | No — there’s no secret to leak |
| No management plugin installed | No |
The danger is sharpest wherever the management port is reachable from an untrusted network — cloud, multi-tenant deployments, or a management UI accidentally exposed to the internet.
A Second Bug: CVE-2026-57221
The same updates fix CVE-2026-57221 (CVSS 5.3), a medium-severity missing-authorization flaw letting any authenticated user enumerate queues and exchanges and read their statistics. That enables an attacker to map virtual hosts, infer business activity, and gather intelligence — a real risk in multi-tenant environments sharing a virtual host.
Patch and Mitigation
CVE-2026-5721 was introduced back in RabbitMQ 3.13.0 (early 2024) and has now been fixed in versions 4.3.0, 4.2.6, 4.1.11, 4.0.20, and 3.13.15. Organizations should:
- Update immediately to a patched release
- Block access to vulnerable instances if patching isn’t possible
- Ensure the management interface is not exposed to the internet
- Implement network segmentation
- Rotate the OAuth client secret
There’s no evidence of in-the-wild exploitation yet — but the secret should be treated as potentially compromised on affected systems.




