Critical RabbitMQ Flaw Hands Attackers the Keys to the Broker CVE-2026-5721

A newly disclosed vulnerability in RabbitMQ, the widely used open-source message broker, lets unauthenticated attackers steal the broker’s confidential OAuth client secret — and from there, take full control. Discovered by security firm Miggo, the bug is a serious threat to enterprises running RabbitMQ behind OAuth-based identity providers.

The Main Flaw: CVE-2026-5721

Tracked as CVE-2026-5721 (CVSS 8.7), the vulnerability lives in an obsolete endpoint in RabbitMQ’s management web interface that returns the OAuth secret to anyone who can reach it — no authentication required.

Here’s the attack chain in plain terms:

  1. An attacker reaches the exposed management port.
  2. They fetch the confidential OAuth client secret from the open endpoint.
  3. They use that secret to impersonate the broker to the identity provider (Auth0, Azure AD/Entra ID, Keycloak, or UAA).
  4. They obtain an administrator token — gaining control over users, messages, queues, and broker settings.

As Miggo puts it: “Anyone who could reach the management port could fetch it, then… impersonate the broker to the identity provider and obtain an administrator token.”

Who Is (and Isn’t) Affected

ConfigurationAt risk?
OAuth 2/OIDC provider with a confidential client secret configuredYes — this is the standard setup
No client secret configuredNo — there’s no secret to leak
No management plugin installedNo

The danger is sharpest wherever the management port is reachable from an untrusted network — cloud, multi-tenant deployments, or a management UI accidentally exposed to the internet.

A Second Bug: CVE-2026-57221

The same updates fix CVE-2026-57221 (CVSS 5.3), a medium-severity missing-authorization flaw letting any authenticated user enumerate queues and exchanges and read their statistics. That enables an attacker to map virtual hosts, infer business activity, and gather intelligence — a real risk in multi-tenant environments sharing a virtual host.

Patch and Mitigation

CVE-2026-5721 was introduced back in RabbitMQ 3.13.0 (early 2024) and has now been fixed in versions 4.3.0, 4.2.6, 4.1.11, 4.0.20, and 3.13.15. Organizations should:

  • Update immediately to a patched release
  • Block access to vulnerable instances if patching isn’t possible
  • Ensure the management interface is not exposed to the internet
  • Implement network segmentation
  • Rotate the OAuth client secret

There’s no evidence of in-the-wild exploitation yet — but the secret should be treated as potentially compromised on affected systems.

Related Reading

Avatar photo
David Cao

David is a Cloud & DevOps Enthusiast. He has years of experience as a Linux engineer. He had working experience in AMD, EMC. He likes Linux, Python, bash, and more. He is a technical blogger and a Software Engineer. He enjoys sharing his learning and contributing to open-source.

Articles: 688

Leave a Reply

Your email address will not be published. Required fields are marked *