Regex Injection Flaw in RabbitMQ's MQTT Plugin
CVE-2026-44838

5.3MEDIUM

Key Information:

Vendor: RabbitMQ
Status: RabbitMQ-server
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-44838?

A regex injection vulnerability exists in the MQTT plugin of RabbitMQ versions 4.2.0 to 4.2.3. This flaw arises from improper handling of user-provided client IDs in regex patterns. Since the client ID is inserted directly into the regex without escaping special characters, an authenticated user could craft input that injects malicious regex operators. This manipulation allows the user to bypass authorization mechanisms that should restrict access to topics based on client ID patterns. Administrators should upgrade to RabbitMQ version 4.2.4 or later to mitigate this risk.

Affected Version(s)

rabbitmq-server >= 4.2.0, < 4.2.4

References

https://github.com/rabbitmq/rabbitmq-server/security/advi...

x_refsource_CONFIRM

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
May 7, 2026

CVE-2026-44838 Data

JSON