Home

Description

RabbitMQ is a messaging and streaming broker. Prior to 3.13.15, 4.0.20, 4.1.11, and 4.2.6, the obsolete GET /api/auth endpoint can disclose the OAuth 2 client secret on RabbitMQ installations configured with management.oauth_client_secret, exposing credentials to unauthenticated callers when the management plugin and that OAuth configuration are enabled. This issue is fixed in versions 3.13.15, 4.0.20, 4.1.11, and 4.2.6.

PUBLISHED Reserved 2026-06-24 | Published 2026-07-10 | Updated 2026-07-14 | Assigner GitHub_M




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Problem types

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Product status

>= 4.2.0, < 4.2.6
affected

>= 4.1.0, < 4.1.11
affected

>= 4.0.0, < 4.0.21
affected

>= 3.13.0, < 3.13.15
affected

References

github.com/...server/security/advisories/GHSA-pj24-8j6m-vq9q

github.com/rabbitmq/rabbitmq-server/pull/16083

github.com/rabbitmq/rabbitmq-server/pull/16086

github.com/...ommit/98b1daf740237c85941e8addcbea6e74f4a2743c

github.com/...ommit/aa387c4451e7b674df3e3ba89df86a99d697cc7f

github.com/rabbitmq/rabbitmq-server/releases/tag/v4.2.6

cve.org (CVE-2026-57219)

nvd.nist.gov (CVE-2026-57219)

Download JSON