[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fVZsQI6uu0mT5t7EGoOlfqqwHYVJ9EDYUuK-EtPsuus0":3},{"article":4,"iocs":50},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":29,"category":30,"article_tags":34},"52c33b3a-636e-420e-86d5-fdc434868c05","RabbitMQ Flaws Could Leak OAuth Secrets and Expose Cross-Tenant Queue Metadata","rabbitmq-flaws-could-leak-oauth-secrets-and-expose-cross-tenant-queue-metadata-32eaa1","Cybersecurity researchers have disclosed details of two access control-related flaws impacting the RabbitMQ message broker service that could allow attackers to leak OAuth client secrets, expose enterprise messaging infrastructure to takeover risks, and bypass tenant boundaries. Miggo's security team, which discovered and reported the flaws, said one \"leaks the broker's confidential OAuth","Cybersecurity researchers disclosed two access control vulnerabilities in RabbitMQ message broker affecting versions 3.13.0 and later. CVE-2026-57219 (CVSS 8.7) exposes OAuth client secrets via an obsolete HTTP endpoint, enabling full broker takeover, while CVE-2026-57221 (CVSS 5.3) allows authenticated users to enumerate and read metadata from other tenants' queues. Both flaws have been patched in versions 4.3.0, 4.2.6, 4.1.11, 4.0.20, and 3.13.15, with no evidence of active exploitation.","Two access control flaws in RabbitMQ leak OAuth secrets and expose cross-tenant queue metadata.","RabbitMQ Flaws Could Leak OAuth Secrets and Expose Cross-Tenant Queue Metadata Ravie LakshmananJul 14, 2026Vulnerability \u002F Network Security Cybersecurity researchers have disclosed details of two access control-related flaws impacting the RabbitMQ message broker service that could allow attackers to leak OAuth client secrets, expose enterprise messaging infrastructure to takeover risks, and bypass tenant boundaries. Miggo's security team, which discovered and reported the flaws, said one \"leaks the broker's confidential OAuth secret to an unauthenticated attacker in a single request, a direct path to full broker takeover in the configurations that use that secret.\" The second vulnerability allows any logged-in user to silently read other tenants' data. Both shortcomings are said to have been present in the codebase since early 2024, impacting RabbitMQ release lines from 3.13.0 and later. They have been addressed in versions 4.3.0, 4.2.6, 4.1.11, 4.0.20, and 3.13.15. There is no evidence of active exploitation of either of the vulnerabilities prior to the public disclosure. A brief description of the two flaws is below - CVE-2026-57219 (CVSS score: 8.7) - An obsolete HTTP API endpoint (\"GET \u002Fapi\u002Fauth\") that reveals client secret on RabbitMQ installations that had OAuth 2 configured to use the management.oauth_client_secret configuration key, allowing an attacker to exchange it for an administrator token and obtain full control of every message, queue, user, and broker setting. CVE-2026-57221 (CVSS score: 5.3) - A missing authorization that allows any authenticated user who can connect to a virtual host to enumerate all queue and exchange names in that virtual host and read queue message counts and consumer counts, regardless of their actual permissions. \"The endpoint's authorization check was hard-coded to always allow the request, unlike every other sensitive management endpoint,\" Miggo said about CVE-2026-57219. \"The risk is sharpest wherever the management port is reachable by an untrusted network: cloud or multi-tenant setups, or a management UI accidentally exposed to the internet.\" Besides patching to the latest versions, it's advised to rotate the OAuth client secret if the management interface is reachable over the internet, limit access to port 15672 to prevent the management interface from being reachable over the network, separate tenants by virtual host, and implement firewall rules to block access to the vulnerable endpoint on unpatched instances. The disclosure comes as RabbitMQ maintainers addressed two critical-severity flaws that could result in a TLS client-authentication bypass (CVSS score: 9.1) and allow an attacker in an adversary-in-the-middle (AitM) position to forge JSON Web Key Set (JWKS) responses and cause the broker to accept arbitrary JWTs (CVSS score: 9.2). Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  API Security, Application Security, Cloud security, enterprise security, Identity and Access Management, network security, Open Source Security, Vulnerability ⚡ Top Stories This Week 16-Year-Old Linux KVM Flaw Lets Guest VMs Escape to Host on Intel and AMD x86 Systems BeyondTrust Patches Critical Auth Bypass Flaws in Remote Support and PRA Court Filing Reveals Windows Device ID Helped FBI Trace Alleged Scattered Spider Hacker Rogue Agent Flaw Could Have Let Attackers Hijack Google Dialogflow CX Chatbots RedWing MaaS Packages Android Bank Fraud as a Telegram Rental Service 15-Year-Old GhostLock Flaw Enables Root and Container Escape on Most Linux Distros GitHub Copilot Refuses Harmful Requests in Chat, Then Writes Them in Code New HalluSquatting Attack Could Trick AI Coding Assistants Into Installing Botnet Malware GhostApproval Symlink Flaws Could Let Malicious Repos Run Code in AI Coding Agents Top AI Agents Built to Catch Malicious Code Can Be Tricked Into Running It Meta's New AI Image Tool Lets Others Use Your Public Instagram Photos in AI Images ThreatsDay: Cloud Bucket Hijacking, Windows LPE Chain, Global Fraud Bust + 17 More Stories Dormant GitHub Accounts Help Attackers Blend In While Mapping Corporate Orgs Attackers Exploit 'Ill Bloom' Vulnerability to Drain Over $5 Million From Cryptocurrency Wallets Unpatched XRING Flaw in XQUIC Lets Remote Clients Crash HTTP\u002F3 Servers Researcher Details WhatsApp-to-Host Attack Chain Using Three OpenClaw Flaws New TrojPix Attack Leaks Data From Air-Gapped Systems via Video Cable Emissions Unpatched Flaws Disclosed in Filesystem Bundled Into Millions of Embedded Devices New \"Bad Epoll\" Linux Kernel Flaw Lets Unprivileged Users Gain Root, Hits Android Google Disrupts NetNut Residential Proxy Network Spanning 2 Million Home Devices European Parliament Member Investigating Spyware Was Hacked With Pegasus ⭐ Featured Resources What 200+ Security Teams Reveal About Using IP Intelligence in 2026 Get Hands-On SANS Training for Today’s Cyber Defense and Offensive Security Challenges See What’s Really Exposed Across Your IT, OT, IoT, Cloud, and Mobile Assets Get Gartner’s Guide to AI Agent Supervision and Runtime Controls","https:\u002F\u002Fthehackernews.com\u002F2026\u002F07\u002Frabbitmq-flaws-could-leak-oauth-secrets.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEjhhRQ9rN4_5eYqXiJ7svWKwWY0dcPiiALZ6EkDG05ruFzTANJtwyw_w2Ht29dON1oFiLAkQkE0M75FYExbXmvFSr4jU0K0sNlwRxG3Q1rU51ouVIt3UtnrazRwhCer3coTHbU3So1dXx_8Frh1KhJKKXc7Lq2h5DZTGkBq35Y2ngnGVg6wAGubf8cVRx0F\u002Fs1600\u002Frebbitmq.jpg","2026-07-14T13:48:07+00:00","2026-07-14T16:00:18.465856+00:00",9,[18,21,24,26],{"name":19,"type":20},"RabbitMQ","product",{"name":22,"type":23},"RabbitMQ (VMware)","vendor",{"name":25,"type":23},"Miggo",{"name":27,"type":28},"OAuth 2.0","technology","80544778-fabb-4dcd-aa35-17492e5dcf4f",{"id":29,"icon":31,"name":32,"slug":33},null,"Vulnerabilities","vulnerabilities",[35,40,45],{"category":36},{"id":37,"icon":31,"name":38,"slug":39},"2c8f44d4-b56e-47cf-9677-04f22c9ee78d","Identity & Access","identity-access",{"category":41},{"id":42,"icon":31,"name":43,"slug":44},"ade75414-7914-4e23-a450-48b64546ee70","Open Source","open-source",{"category":46},{"id":47,"icon":31,"name":48,"slug":49},"c70f3a41-2f0c-4608-870d-b8cbcd8be076","Cloud Security","cloud-security",[51,55],{"type":52,"value":53,"context":54},"cve","CVE-2026-57219","OAuth client secret leakage via obsolete HTTP API endpoint \u002Fapi\u002Fauth on RabbitMQ",{"type":52,"value":56,"context":57},"CVE-2026-57221","Missing authorization allowing authenticated users to enumerate and read cross-tenant queue metadata"]