{"data":{"id":"5f3a0ec2-4f92-4fde-aec6-63c07325c4c7","title":"RabbitMQ flaws expose OAuth secrets, risk complete takeover of the broker","summary":"RabbitMQ, a widely-used open-source message broker that transfers data between services in applications, had two security flaws that could expose OAuth secrets (authentication credentials) and allow attackers to take over the system. The more severe vulnerability let anyone access the broker's OAuth client secret without logging in, potentially giving attackers complete control, while the second flaw allowed even low-privilege users to discover and monitor queues and exchanges (the message storage and routing systems) they shouldn't have access to.","solution":"For CVE-2026-57219: upgrade to patched versions 3.13.15, 4.0.20, 4.1.11, or 4.2.6. RabbitMQ fixed this by removing the vulnerable endpoint and delivering OAuth configuration through \"an authenticated bootstrap mechanism that no longer exposes the client secret over HTTP.\" Additionally, organizations should \"rotate any exposed OAuth client secrets after patching and ensure the management interface is never exposed to untrusted networks.\" For CVE-2026-57221: upgrade to a patched release, and \"isolate tenants into separate virtual hosts until patching can be completed\" since there is no configuration workaround or WAF (web application firewall) mitigation. RabbitMQ fixed this by ensuring passive queue and exchange declarations now enforce authorization checks.","labels":["security"],"sourceUrl":"https://www.csoonline.com/article/4196093/rabbitmq-flaws-expose-oauth-secrets-risk-complete-takeover-of-the-broker.html","publishedAt":"2026-07-13T12:01:44.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":null,"severity":"high","attackType":["supply_chain"],"issueType":"news","affectedPackages":null,"affectedVendors":[],"affectedVendorsRaw":["RabbitMQ","Broadcom Tanzu","Microsoft Entra ID","Auth0","Keycloak"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":null,"disclosureDate":"2026-07-13T12:01:44.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity","availability"],"aiComponentTargeted":null,"llmSpecific":false,"classifierConfidence":0.72,"researchCategory":null,"atlasIds":null}}