Foreign Binding Vulnerability in RabbitMQ Messaging and Streaming Broker
CVE-2026-57215
What is CVE-2026-57215?
Prior to specific versions, RabbitMQ allows foreign bindings to the amq.rabbitmq.reply-to destinations, posing a risk of persistent route entries due to inadequate deletion checks. This occurs when volatile direct-reply-to queues are accepted at bind and route time but are overlooked during unbind operations. As a result, not only can persistent bindings remain active even after intended deletion, but it generates potential routes for unauthorized message interception and manipulation, compromising the integrity of the messaging system. The issue has been rectified in the latest RabbitMQ versions.
Affected Version(s)
rabbitmq-server >= 4.2.0, < 4.2.6 < 4.2.0, 4.2.6
rabbitmq-server >= 4.1.0, < 4.1.11 < 4.1.0, 4.1.11
rabbitmq-server >= 4.0.0, < 4.0.21 < 4.0.0, 4.0.21
