Attackers Can Steal OAuth Secrets and Impersonate RabbitMQ Brokers in New Critical Flaw
By
Mr Bagel
A critical vulnerability in RabbitMQ's management web interface allows unauthenticated attackers to steal the broker's OAuth client secret and potentially gain full administrative control, according to radar.offseq.com. The flaw, tracked as CVE-2026-5721, targets configurations where the OAuth secret is set and the management port is exposed to untrusted networks.
"unauthenticated attackers to obtain the broker's confidential OAuth client secret"
By using the stolen secret, an attacker can impersonate the broker to the identity provider and obtain administrator tokens, enabling control over users, messages, queues, and broker settings. The vulnerability was introduced in RabbitMQ version 3.13.0 and affects versions up to the fixes released in 3.13.15, 4.0.20, 4.1.11, and 4.2.6.
A second flaw, CVE-2026-57221, was also disclosed and lets authenticated users enumerate queues and exchanges, increasing reconnaissance risks in shared or internet-exposed deployments, according to hendryadrian.com. Together, the two vulnerabilities pose a significant threat to enterprises relying on RabbitMQ's OAuth/OIDC integrations.
"The vulnerabilities affect OAuth/OIDC integrations with providers like Auth0, Azure AD, Entra ID, and Keycloak."
Organizations using those identity providers with an exposed management interface are at heightened risk of broker takeover and data exposure. The flaw does not affect instances without the management plugin or without a configured client secret.
RabbitMQ has released patched versions for all affected branches, and administrators are urged to update immediately or restrict access to the management web interface as a workaround. The disclosure underscores the critical importance of securing message broker infrastructure against credential theft.
The reporting
10 outlets covered this story. Each links to the original.


Baker's Take
Comments
Sign in to join the conversation.
No comments yet. Be the first.