Authentication Bypass in RabbitMQ Affecting Remote Connections
CVE-2026-57216

6.8MEDIUM

Key Information:

Vendor

RabbitMQ

Vendor
CVE Published:
10 July 2026

What is CVE-2026-57216?

RabbitMQ, a well-known messaging and streaming broker, has a vulnerability that allows a loopback-restricted user, such as a guest, to connect remotely under specific conditions. This occurs when traffic is allowed through a trusted PROXY-protocol path while the backend listener is loopback-bound. The loopback check incorrectly relies on the listener-side socket address instead of the actual client source, potentially allowing unauthorized access. This issue has been addressed in the subsequent versions—3.13.15, 4.0.20, 4.1.11, and 4.2.6.

Affected Version(s)

rabbitmq-server >= 4.2.0, < 4.2.6 < 4.2.0, 4.2.6

rabbitmq-server >= 4.1.0, < 4.1.11 < 4.1.0, 4.1.11

rabbitmq-server >= 4.0.0, < 4.0.21 < 4.0.0, 4.0.21

References

CVSS V3.1

Score:
6.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.