Authentication Bypass in RabbitMQ Affecting Remote Connections
CVE-2026-57216
6.8MEDIUM
What is CVE-2026-57216?
RabbitMQ, a well-known messaging and streaming broker, has a vulnerability that allows a loopback-restricted user, such as a guest, to connect remotely under specific conditions. This occurs when traffic is allowed through a trusted PROXY-protocol path while the backend listener is loopback-bound. The loopback check incorrectly relies on the listener-side socket address instead of the actual client source, potentially allowing unauthorized access. This issue has been addressed in the subsequent versions—3.13.15, 4.0.20, 4.1.11, and 4.2.6.
Affected Version(s)
rabbitmq-server >= 4.2.0, < 4.2.6 < 4.2.0, 4.2.6
rabbitmq-server >= 4.1.0, < 4.1.11 < 4.1.0, 4.1.11
rabbitmq-server >= 4.0.0, < 4.0.21 < 4.0.0, 4.0.21
