CVE-2026-57217 in RabbitMQinfo

Summary

by MITRE • 07/10/2026

RabbitMQ is a messaging and streaming broker. Prior to 3.13.15, 4.0.21, 4.1.11, and 4.2.6, RabbitMQ topic authorization can allow restricted topic writes and binds during metadata-store failures because topic-permission lookup errors from Khepri can collapse to undefined, which the internal backend treats as allow. This issue is fixed in versions 3.13.15, 4.0.21, 4.1.11, and 4.2.6.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/10/2026

RabbitMQ serves as a critical messaging infrastructure component in distributed systems, facilitating reliable message queuing and streaming operations across various enterprise environments. The software's security model relies heavily on proper access control mechanisms to prevent unauthorized operations on message queues, exchanges, and topics. When these controls fail, the consequences can extend far beyond individual system breaches to compromise entire distributed applications. The vulnerability affects multiple version streams including 3.13.x, 4.0.x, 4.1.x, and 4.2.x, indicating a fundamental issue within the authorization subsystem that has persisted across several major releases.

The technical flaw manifests in RabbitMQ's handling of topic authorization during metadata-store failures, specifically involving the Khepri backend component responsible for storing and retrieving access control information. When Khepri encounters errors during topic-permission lookups, the error conditions can collapse to an undefined state rather than properly failing closed. This undefined state is subsequently interpreted by RabbitMQ's internal authorization framework as a permission to allow the requested operation, creating a security bypass that allows restricted users to perform unauthorized topic writes and binds. The issue stems from inadequate error handling within the authorization pipeline where exceptional conditions are not properly translated into deny decisions.

The operational impact of this vulnerability extends beyond simple access control violations to potentially enable lateral movement within messaging infrastructure and data exfiltration scenarios. An attacker who can trigger metadata-store failures or exploit the undefined state condition could gain unauthorized access to topic subscriptions, potentially allowing them to intercept messages intended for other consumers or inject malicious payloads into message streams. This vulnerability particularly affects environments where RabbitMQ serves as a central messaging hub for microservices architectures, event-driven systems, and distributed transaction processing. The issue represents a classic security by exception problem where error conditions that should result in strict access denial instead result in permissive behavior.

The fix implemented in versions 3.13.15, 4.0.21, 4.1.11, and 4.2.6 addresses the root cause by ensuring proper error handling for Khepri lookup failures, explicitly treating undefined states as denial rather than allowance. This change aligns with security principle of least privilege and fails closed behavior when system components encounter exceptional conditions. Organizations should prioritize upgrading to these fixed versions while implementing monitoring for metadata-store failure conditions that could trigger this vulnerability. The issue demonstrates the critical importance of proper error handling in security-sensitive systems and the potential for seemingly minor implementation flaws to create significant access control bypasses.

This vulnerability maps to CWE-252, which describes "Unchecked Return Value" in security contexts where return values are not properly validated, and relates to ATT&CK technique T1078.004 for valid accounts with elevated privileges that can be gained through improper authorization handling. The remediation process requires careful consideration of rollback procedures and testing to ensure that the new error handling behavior does not introduce performance regressions or other unintended side effects in normal operational conditions.

Responsible

GitHub M

Reservation

06/24/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!