CVE-2026-57217

MEDIUM

RabbitMQ: Topic authorization can lead to cross-tenant routing-key bypass

Title source: cna
STIX 2.1

Description

RabbitMQ is a messaging and streaming broker. Prior to 3.13.15, 4.0.21, 4.1.11, and 4.2.6, RabbitMQ topic authorization can allow restricted topic writes and binds during metadata-store failures because topic-permission lookup errors from Khepri can collapse to undefined, which the internal backend treats as allow. This issue is fixed in versions 3.13.15, 4.0.21, 4.1.11, and 4.2.6.

Scores

CVSS v3 6.5
EPSS 0.0027
EPSS Percentile 18.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-863
Status published
Products (5)
broadcom/rabbitmq_server 3.13.0 - 4.2.6
rabbitmq/rabbitmq-server >= 3.13.0, < 3.13.15
rabbitmq/rabbitmq-server >= 4.0.0, < 4.0.21
rabbitmq/rabbitmq-server >= 4.1.0, < 4.1.11
rabbitmq/rabbitmq-server >= 4.2.0, < 4.2.6
Published Jul 10, 2026
Tracked Since Jul 11, 2026