Foreign Binding Vulnerability in RabbitMQ Messaging and Streaming Broker
CVE-2026-57215

7HIGH

Key Information:

Vendor

RabbitMQ

Vendor
CVE Published:
10 July 2026

What is CVE-2026-57215?

Prior to specific versions, RabbitMQ allows foreign bindings to the amq.rabbitmq.reply-to destinations, posing a risk of persistent route entries due to inadequate deletion checks. This occurs when volatile direct-reply-to queues are accepted at bind and route time but are overlooked during unbind operations. As a result, not only can persistent bindings remain active even after intended deletion, but it generates potential routes for unauthorized message interception and manipulation, compromising the integrity of the messaging system. The issue has been rectified in the latest RabbitMQ versions.

Affected Version(s)

rabbitmq-server >= 4.2.0, < 4.2.6 < 4.2.0, 4.2.6

rabbitmq-server >= 4.1.0, < 4.1.11 < 4.1.0, 4.1.11

rabbitmq-server >= 4.0.0, < 4.0.21 < 4.0.0, 4.0.21

References

CVSS V4

Score:
7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.