CVE-2026-57219 in Server
Summary
by MITRE • 07/10/2026
RabbitMQ is a messaging and streaming broker. Prior to 3.13.15, 4.0.20, 4.1.11, and 4.2.6, the obsolete GET /api/auth endpoint can disclose the OAuth 2 client secret on RabbitMQ installations configured with management.oauth_client_secret, exposing credentials to unauthenticated callers when the management plugin and that OAuth configuration are enabled. This issue is fixed in versions 3.13.15, 4.0.20, 4.1.11, and 4.2.6.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/10/2026
The vulnerability in RabbitMQ affects versions prior to 3.13.15, 4.0.20, 4.1.11, and 4.2.6 where the deprecated GET /api/auth endpoint inadvertently exposes OAuth 2 client secrets through improper access control mechanisms. This represents a critical security flaw that undermines the confidentiality of authentication credentials within messaging infrastructure deployments. The vulnerability specifically impacts installations configured with the management.oauth_client_secret parameter, which is used to establish OAuth 2 authentication flows for the RabbitMQ management plugin interface.
The technical flaw stems from insufficient authorization checks within the obsolete API endpoint that handles authentication requests. When the management plugin is enabled alongside OAuth configuration, the GET /api/auth endpoint fails to properly validate caller credentials before returning sensitive authentication information including client secrets. This represents a violation of the principle of least privilege and demonstrates poor input validation practices that allow unauthorized access to privileged system information. The vulnerability can be classified under CWE-284, which addresses inadequate access control mechanisms, and specifically relates to improper authorization scenarios within web application interfaces.
The operational impact of this vulnerability extends beyond simple credential exposure as it enables attackers to gain unauthorized access to messaging infrastructure components. An unauthenticated attacker who discovers the vulnerable endpoint can directly retrieve OAuth 2 client secrets without requiring any prior authentication or authorization credentials. This exposure compromises the entire authentication framework and potentially allows attackers to impersonate legitimate clients within the RabbitMQ ecosystem, leading to data interception, message manipulation, and potential system compromise. The vulnerability aligns with ATT&CK technique T1566 which covers credential harvesting through various means including API endpoint exploitation.
Organizations utilizing RabbitMQ management plugin with OAuth 2 configuration face significant risk from this vulnerability as it provides attackers with direct access to authentication tokens that can be used for further attacks within the network infrastructure. The exposure of client secrets essentially invalidates the security benefits of implementing OAuth 2 authentication, creating a false sense of security while leaving systems vulnerable to unauthorized access. Mitigation efforts must include immediate upgrade to patched versions and careful review of existing OAuth configurations to ensure proper access controls are in place. Security teams should also implement network segmentation and monitoring of API endpoint access patterns to detect potential exploitation attempts. The vulnerability underscores the importance of proper access control implementation and the dangers of retaining deprecated functionality without adequate security review processes.