OAuth 2 Client Secret Exposure in RabbitMQ Management Plugin
CVE-2026-57219
8.7HIGH
What is CVE-2026-57219?
In RabbitMQ, versions prior to 3.13.15, 4.0.20, 4.1.11, and 4.2.6, an obsolete endpoint - GET /api/auth - poses a risk by potentially disclosing the OAuth 2 client secret. This vulnerability arises when the management plugin and OAuth configuration are enabled, allowing unauthenticated users to access sensitive credential information. Users are strongly advised to upgrade to the latest versions to mitigate this security risk.
Affected Version(s)
rabbitmq-server >= 4.2.0, < 4.2.6 < 4.2.0, 4.2.6
rabbitmq-server >= 4.1.0, < 4.1.11 < 4.1.0, 4.1.11
rabbitmq-server >= 4.0.0, < 4.0.21 < 4.0.0, 4.0.21
