Cross-Site Scripting Vulnerability in RabbitMQ Federation Management Plugin
CVE-2026-57213

5.7MEDIUM

Key Information:

Vendor

RabbitMQ

Vendor
CVE Published:
10 July 2026

What is CVE-2026-57213?

The RabbitMQ federation management plugin is vulnerable to a cross-site scripting (XSS) issue due to improper handling of the consumer_tag field on the Federation Status page. This flaw allows authenticated users with the ability to configure a federation upstream or a policy to inject harmful JavaScript into the page. When viewed by another user, the injected script runs in their browser, potentially leading to unauthorized actions or data exposure. The vulnerability has been addressed in the recent updates, with fixes implemented in RabbitMQ versions 3.13.14, 4.0.19, 4.1.10, and 4.2.5, ensuring safer operation of the platform.

Affected Version(s)

rabbitmq-server >= 4.2.0, < 4.2.5 < 4.2.0, 4.2.5

rabbitmq-server >= 4.1.0, < 4.1.10 < 4.1.0, 4.1.10

rabbitmq-server >= 4.0.0, < 4.0.19 < 4.0.0, 4.0.19

References

CVSS V4

Score:
5.7
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.