CVE-2026-57211 in RabbitMQ
Summary
by MITRE • 07/11/2026
RabbitMQ is a messaging and streaming broker. Prior to 4.1.11 and 4.2.6 on Windows, the RabbitMQ management plugin static file handler rabbit_mgmt_wm_static can pass URL-encoded backslashes to erl_prim_loader:read_file_info before path validation when multiple management extension plugins are enabled, causing outbound DNS and SMB requests to attacker-controlled UNC paths. This issue is fixed in versions 4.1.11 and 4.2.6.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/11/2026
The vulnerability in RabbitMQ affects versions prior to 4.1.11 and 4.2.6 on Windows systems where the management plugin's static file handler rabbit_mgmt_wm_static fails to properly validate URL-encoded backslashes before passing them to erl_prim_loader:read_file_info. This flaw occurs specifically when multiple management extension plugins are enabled, creating a path traversal scenario that allows maliciously crafted URLs to bypass normal security controls.
The technical implementation of this vulnerability stems from insufficient input validation in the static file handling mechanism. When an attacker crafts a URL with encoded backslashes and accesses the management plugin interface, the system processes these characters without proper sanitization before invoking erl_prim_loader:read_file_info. This function then attempts to resolve the path information, which triggers outbound DNS queries and SMB connections to attacker-controlled UNC paths.
The operational impact of this vulnerability is significant as it enables remote attackers to perform unauthorized network reconnaissance through DNS queries and potentially execute malicious code through SMB connections. The attack vector requires no authentication to the RabbitMQ management interface, making it particularly dangerous in environments where management plugins are exposed to untrusted networks. The vulnerability essentially allows an attacker to probe internal network resources and potentially exfiltrate data or establish command and control channels.
This issue maps to CWE-22 Path Traversal and CWE-129 Improper Validation of Input, with potential ATT&CK framework mappings to T1071.004 Application Layer Protocol and T1046 Network Service Scanning. The vulnerability demonstrates a classic case of insufficient input validation combined with improper path handling in a messaging system that is often deployed in enterprise environments where network segmentation may be inadequate.
Organizations should immediately upgrade to RabbitMQ versions 4.1.11 or 4.2.6 to remediate this vulnerability. In addition to upgrading, administrators should ensure that management plugins are not exposed to untrusted networks and implement proper network segmentation controls. The fix addresses the core issue by implementing proper URL decoding and path validation before any file system operations occur, preventing the problematic backslash sequences from reaching the erl_prim_loader functions that trigger the unintended network activity.
Security monitoring should be enhanced to detect unusual DNS and SMB traffic patterns originating from RabbitMQ servers, particularly when these connections target non-standard or attacker-controlled endpoints. Network administrators should also review access controls for management interfaces and consider implementing web application firewalls or similar protective measures to filter malicious requests before they reach the vulnerable components. The vulnerability highlights the importance of proper input validation in all components of enterprise messaging systems where external access may occur.