CVE-2026-57221

MEDIUM

RabbitMQ: Passive queue/exchange declaration bypasses authorization checks, leaking queue metadata to unprivileged users

Title source: cna
STIX 2.1

Description

RabbitMQ is a messaging and streaming broker. Prior to 3.13.15, 4.0.20, 4.1.11, and 4.2.6, RabbitMQ does not perform authorization checks on passive queue.declare and exchange.declare AMQP 0-9-1 operations, allowing any authenticated user who can connect to a virtual host to enumerate queue and exchange names and read queue message and consumer counts. This issue is fixed in versions 3.13.15, 4.0.20, 4.1.11, and 4.2.6.

Scores

CVSS v3 5.0
EPSS 0.0027
EPSS Percentile 18.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-862
Status published
Products (5)
broadcom/rabbitmq_server 3.13.0 - 4.2.6
rabbitmq/rabbitmq-server >= 3.13.0, < 3.13.15
rabbitmq/rabbitmq-server >= 4.0.0, < 4.0.21
rabbitmq/rabbitmq-server >= 4.1.0, < 4.1.11
rabbitmq/rabbitmq-server >= 4.2.0, < 4.2.6
Published Jul 10, 2026
Tracked Since Jul 11, 2026