Cross-Site Scripting Vulnerability in RabbitMQ Federation Management Plugin
CVE-2026-57213
What is CVE-2026-57213?
The RabbitMQ federation management plugin is vulnerable to a cross-site scripting (XSS) issue due to improper handling of the consumer_tag field on the Federation Status page. This flaw allows authenticated users with the ability to configure a federation upstream or a policy to inject harmful JavaScript into the page. When viewed by another user, the injected script runs in their browser, potentially leading to unauthorized actions or data exposure. The vulnerability has been addressed in the recent updates, with fixes implemented in RabbitMQ versions 3.13.14, 4.0.19, 4.1.10, and 4.2.5, ensuring safer operation of the platform.
Affected Version(s)
rabbitmq-server >= 4.2.0, < 4.2.5 < 4.2.0, 4.2.5
rabbitmq-server >= 4.1.0, < 4.1.10 < 4.1.0, 4.1.10
rabbitmq-server >= 4.0.0, < 4.0.19 < 4.0.0, 4.0.19
