CVE-2026-57213 in RabbitMQ
Summary
by MITRE • 07/10/2026
RabbitMQ is a messaging and streaming broker. Prior to 3.13.14, 4.0.19, 4.1.10, and 4.2.5, the rabbitmq_federation_management plugin renders the consumer_tag field on the Federation Status page without HTML escaping, allowing a user who can configure a federation upstream or policy to execute JavaScript in the browser of a user viewing that page. This issue is fixed in versions 3.13.14, 4.0.19, 4.1.10, and 4.2.5.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/10/2026
The vulnerability identified in RabbitMQ affects versions prior to 3.13.14, 4.0.19, 4.1.10, and 4.2.5 where the rabbitmq_federation_management plugin fails to properly escape HTML content when rendering the consumer_tag field on the Federation Status page. This represents a classic cross-site scripting vulnerability that falls under CWE-79, which specifically addresses cross-site scripting flaws in web applications. The security flaw occurs within the web interface component of the messaging broker, where unescaped user-supplied data from federation upstream configurations is directly rendered into HTML without proper sanitization mechanisms.
The technical exploitation of this vulnerability requires an attacker to have the ability to configure federation upstreams or policies within the RabbitMQ system, which typically involves administrative privileges or equivalent access levels. Once such access is obtained, the malicious actor can inject JavaScript code into the consumer_tag field through federation configuration parameters. When another user with appropriate permissions views the Federation Status page, their browser executes the injected script within the context of the vulnerable web application, potentially leading to session hijacking, data exfiltration, or further compromise of the system. This type of attack aligns with ATT&CK technique T1566.002, which covers spearphishing attachments in enterprise environments.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to perform actions that would normally require legitimate administrative access. An attacker could potentially steal session cookies, redirect users to malicious sites, or manipulate the web interface to hide malicious activities. The scope of exploitation is limited by the requirement for existing federation configuration privileges, but within the context of a system where federation is actively used, this represents a significant risk. The vulnerability affects organizations that rely on RabbitMQ's federation capabilities for message routing across distributed systems, particularly those with multiple administrators who may not follow strict access control policies.
Organizations should immediately upgrade to the patched versions 3.13.14, 4.0.19, 4.1.10, or 4.2.5 to remediate this vulnerability. While the fix addresses the core HTML escaping issue, system administrators should also review existing federation configurations and audit access controls to ensure that only trusted entities have the ability to configure upstreams or policies. Additional mitigations include implementing web application firewalls to detect and block suspicious JavaScript patterns in web traffic and conducting regular security assessments of web interfaces within messaging systems. The vulnerability demonstrates the critical importance of input sanitization in web-based management interfaces, particularly in enterprise messaging platforms where administrative functions are exposed through browser-based consoles. Organizations should also consider implementing principle of least privilege access controls for federation management features to limit potential damage from compromised accounts or insider threats.