OAuth 2 Client Secret Exposure in RabbitMQ Management Plugin
CVE-2026-57219

8.7HIGH

Key Information:

Vendor

RabbitMQ

Vendor
CVE Published:
10 July 2026

What is CVE-2026-57219?

In RabbitMQ, versions prior to 3.13.15, 4.0.20, 4.1.11, and 4.2.6, an obsolete endpoint - GET /api/auth - poses a risk by potentially disclosing the OAuth 2 client secret. This vulnerability arises when the management plugin and OAuth configuration are enabled, allowing unauthenticated users to access sensitive credential information. Users are strongly advised to upgrade to the latest versions to mitigate this security risk.

Affected Version(s)

rabbitmq-server >= 4.2.0, < 4.2.6 < 4.2.0, 4.2.6

rabbitmq-server >= 4.1.0, < 4.1.11 < 4.1.0, 4.1.11

rabbitmq-server >= 4.0.0, < 4.0.21 < 4.0.0, 4.0.21

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.