{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/cpes/cpe2.3abroadcomrabbitmq_server/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:broadcom:rabbitmq_server:*:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":6.5,"id":"CVE-2026-57211"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["RabbitMQ management UI"],"_cs_severities":["high"],"_cs_tags":["vulnerability","ssrf","rabbitmq","windows","msrc"],"_cs_type":"advisory","_cs_vendors":["VMware"],"content_html":"\u003cp\u003eCVE-2026-57211, disclosed by Microsoft, describes a Server-Side Request Forgery (SSRF) vulnerability specifically affecting the RabbitMQ management UI when hosted on Windows operating systems. This vulnerability allows an unauthenticated remote attacker to craft requests that force the vulnerable RabbitMQ server to initiate outbound connections to arbitrary Universal Naming Convention (UNC) paths. This critical flaw could enable attackers to perform NTLM credential relay attacks by pointing the server to a malicious SMB share, leading to credential theft, or to conduct internal network reconnaissance by attempting connections to various internal network resources via UNC paths. While the advisory does not specify observed exploitation, the nature of SSRF in a management interface presents a significant risk to internal network security. Organizations utilizing RabbitMQ on Windows are strongly advised to review and apply the necessary security updates.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated remote attacker identifies a RabbitMQ instance running its management UI on a Windows server.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request to the RabbitMQ management UI.\u003c/li\u003e\n\u003cli\u003eThis crafted request includes a parameter or payload designed to trigger the Server-Side Request Forgery (SSRF) vulnerability.\u003c/li\u003e\n\u003cli\u003eThe vulnerability causes the RabbitMQ server to attempt to initiate an outbound network connection to an attacker-controlled Universal Naming Convention (UNC) path (e.g., \u003ccode\u003e\\\\attacker-ip\\share\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eIf the attacker controls an SMB server at the specified UNC path, the Windows server hosting RabbitMQ will attempt NTLM authentication, sending its hashed credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker captures these NTLM hashes, which can then be cracked offline or used in NTLM relay attacks to gain unauthorized access to other services or systems within the internal network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-57211 can lead to significant information disclosure and potential lateral movement within an organization's network. Attackers can leverage the SSRF to force the RabbitMQ server to connect to arbitrary internal or external UNC paths. This can result in NTLM credential leakage, where the server's NTLM hash is sent to an attacker-controlled SMB share, allowing for offline cracking or NTLM relay attacks. Furthermore, the ability to make arbitrary outbound connections can be used for internal network reconnaissance, mapping network topologies, and identifying other vulnerable services or devices, escalating the potential for further compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security update addressing CVE-2026-57211 released by VMware immediately to all affected RabbitMQ installations running on Windows.\u003c/li\u003e\n\u003cli\u003eRestrict outbound network connections from RabbitMQ servers to only necessary and trusted destinations to mitigate the impact of SSRF vulnerabilities.\u003c/li\u003e\n\u003cli\u003eImplement host-based firewalls or network segmentation to prevent RabbitMQ servers from initiating SMB connections to arbitrary UNC paths or untrusted internal hosts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-15T07:47:21Z","date_published":"2026-07-15T07:47:21Z","id":"https://feed.craftedsignal.io/briefs/2026-07-rabbitmq-unc-ssrf/","summary":"CVE-2026-57211 details a Server-Side Request Forgery (SSRF) vulnerability within the RabbitMQ management UI when deployed on Windows, enabling an attacker to coerce the server into making requests to arbitrary UNC paths, potentially leading to NTLM credential disclosure or internal network reconnaissance.","title":"RabbitMQ Management UI UNC SSRF Vulnerability (CVE-2026-57211) on Windows","url":"https://feed.craftedsignal.io/briefs/2026-07-rabbitmq-unc-ssrf/"},{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:broadcom:rabbitmq_server:*:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":6.5,"id":"CVE-2026-57217"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["RabbitMQ"],"_cs_severities":["low"],"_cs_tags":["rabbitmq","vulnerability","authorization-bypass"],"_cs_type":"advisory","_cs_vendors":["RabbitMQ"],"content_html":"\u003cp\u003eCVE-2026-57217 identifies a critical authorization bypass vulnerability within RabbitMQ's topic exchange mechanism. This flaw could allow an attacker, particularly in a multi-tenant environment, to bypass established topic authorization rules and gain unauthorized access to or manipulate routing keys. While the specific method of exploitation is not detailed in the available public information, a successful attack could lead to a compromise of message integrity, confidentiality, or availability. Attackers could potentially reroute messages to unintended recipients, read messages not intended for them, or inject malicious messages into a tenant's message queues. This vulnerability impacts RabbitMQ installations where topic exchanges are used, especially in shared or multi-tenant deployments where strict message isolation is critical. Organizations utilizing RabbitMQ are advised to address this vulnerability promptly to prevent potential data breaches or service disruptions.\u003c/p\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful exploitation of CVE-2026-57217 in RabbitMQ could lead to significant security breaches in multi-tenant or shared messaging environments. Attackers could achieve unauthorized access to sensitive data by intercepting messages intended for other tenants or users. They might also manipulate routing keys to inject malicious messages, leading to data corruption, denial-of-service for specific applications, or further lateral movement within compromised systems. The integrity and confidentiality of message-based communications could be severely undermined, potentially affecting all tenants sharing a vulnerable RabbitMQ instance.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-57217 on all affected RabbitMQ instances immediately according to vendor guidelines.\u003c/li\u003e\n\u003cli\u003eMonitor RabbitMQ server logs for any unusual message routing, unexpected queue bindings, or unauthorized access attempts to topic exchanges.\u003c/li\u003e\n\u003cli\u003eImplement robust monitoring for RabbitMQ access controls and audit logs for changes in permissions or user activity related to message queues.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-15T07:46:30Z","date_published":"2026-07-15T07:46:30Z","id":"https://feed.craftedsignal.io/briefs/2026-07-rabbitmq-topic-bypass/","summary":"CVE-2026-57217 details a vulnerability in RabbitMQ where topic authorization can be bypassed, leading to cross-tenant routing-key bypass, potentially allowing unauthorized access to or manipulation of routing keys in a multi-tenant environment.","title":"RabbitMQ Topic Authorization Bypass via Cross-Tenant Routing-Key Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-07-rabbitmq-topic-bypass/"},{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:broadcom:rabbitmq_server:*:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-57220"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["RabbitMQ Stream listener"],"_cs_severities":["low"],"_cs_tags":["denial-of-service","vulnerability","rabbitmq"],"_cs_type":"advisory","_cs_vendors":["RabbitMQ"],"content_html":"\u003cp\u003eA critical denial-of-service (DoS) vulnerability, tracked as CVE-2026-57220, has been disclosed in the RabbitMQ Stream listener component. This flaw stems from an insufficient enforcement of configured frame-size limits during the authentication process. An unauthenticated remote attacker can exploit this vulnerability by sending specially crafted stream data frames that exceed expected size restrictions. The RabbitMQ Stream listener, failing to properly validate these frames, will attempt to process them, leading to excessive memory allocation and eventual memory exhaustion of the server process. This can cause the RabbitMQ service to crash or become unresponsive, resulting in a denial of service for legitimate users. This vulnerability impacts installations utilizing the RabbitMQ Stream listener, posing a significant risk to the availability of message queuing services.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker establishes a TCP connection to the vulnerable RabbitMQ Stream listener port.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates the authentication handshake with the RabbitMQ Stream listener.\u003c/li\u003e\n\u003cli\u003eDuring the authentication phase, the attacker sends a continuous stream of data.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts the stream to contain oversized data frames that intentionally violate the configured frame-size limits.\u003c/li\u003e\n\u003cli\u003eDue to CVE-2026-57220, the RabbitMQ Stream listener fails to correctly apply the frame-size limits during this specific pre-authentication stage.\u003c/li\u003e\n\u003cli\u003eThe listener attempts to buffer and process these excessively large frames in memory.\u003c/li\u003e\n\u003cli\u003eThis continuous influx of oversized frames causes the RabbitMQ process to rapidly consume available system memory.\u003c/li\u003e\n\u003cli\u003eMemory exhaustion occurs, leading to the RabbitMQ service crashing or becoming unresponsive, effectively achieving a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-57220 leads to an immediate and complete denial of service for the affected RabbitMQ instance. As the attack is unauthenticated, any internet-facing or internally accessible RabbitMQ Stream listener is vulnerable to disruption. Organizations relying on RabbitMQ for critical message queuing, task distribution, or real-time communication will experience severe operational outages, data processing delays, and potential data loss if the service crashes. The ease of exploitation and potential for significant business impact categorize this as a high-severity threat requiring urgent remediation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-57220 immediately on all affected RabbitMQ Stream listener deployments to mitigate the unauthenticated memory exhaustion vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-15T07:45:46Z","date_published":"2026-07-15T07:45:46Z","id":"https://feed.craftedsignal.io/briefs/2026-07-rabbitmq-memexhaust-dos/","summary":"A denial-of-service vulnerability, CVE-2026-57220, exists in the RabbitMQ stream listener that allows an unauthenticated attacker to exhaust memory resources by not properly enforcing frame-size limits during authentication, leading to service disruption.","title":"RabbitMQ Stream Listener Vulnerability CVE-2026-57220 Allows Unauthenticated Memory Exhaustion DoS","url":"https://feed.craftedsignal.io/briefs/2026-07-rabbitmq-memexhaust-dos/"},{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:broadcom:rabbitmq_server:*:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-57219"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["RabbitMQ"],"_cs_severities":["high"],"_cs_tags":["vulnerability","credential-access","rabbitmq","broadcom"],"_cs_type":"advisory","_cs_vendors":["Broadcom"],"content_html":"\u003cp\u003eCVE-2026-57219 identifies a critical vulnerability in RabbitMQ, specifically affecting instances configured with certain less common OAuth 2 configurations. This flaw allows an unauthenticated attacker to obtain sensitive OAuth client credentials directly via an HTTP API endpoint. The vulnerability stems from an improper handling mechanism when these specific OAuth 2 configurations are in use, leading to the unintended disclosure of client secrets and other credential information. While the exact \u0026quot;less common\u0026quot; configurations are not detailed, their presence creates a window for attackers to gain unauthorized access to any services or applications that rely on these compromised OAuth clients for authentication. This vulnerability could lead to significant security breaches, including data exfiltration, privilege escalation, and lateral movement within an affected organization's network, as the stolen credentials can be leveraged to impersonate legitimate services or users.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance \u0026amp; Configuration Identification\u003c/strong\u003e: An attacker identifies an internet-facing RabbitMQ instance within a target organization and attempts to determine if it is utilizing the \u0026quot;less common OAuth 2 configurations\u0026quot; described in CVE-2026-57219.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerability Exploitation\u003c/strong\u003e: The attacker sends a specially crafted, unauthenticated HTTP request to a specific vulnerable HTTP API endpoint exposed by the RabbitMQ server.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Disclosure\u003c/strong\u003e: Due to the flaw described in CVE-2026-57219, the RabbitMQ instance responds to this unauthenticated request by inadvertently disclosing sensitive OAuth client credentials, such as client IDs and client secrets.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Exfiltration\u003c/strong\u003e: The attacker parses the HTTP response and extracts the disclosed OAuth client credentials, often through automated tools.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUnauthorized Authentication\u003c/strong\u003e: The attacker then uses the stolen OAuth client credentials to authenticate to other services or applications that trust the compromised RabbitMQ instance or utilize these specific OAuth clients for identity management.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement \u0026amp; Access\u003c/strong\u003e: Successful authentication grants the attacker unauthorized access to internal systems, data repositories, or other resources that are accessible via the stolen credentials, facilitating lateral movement within the network.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact Fulfillment\u003c/strong\u003e: The attacker leverages this unauthorized access to achieve their objectives, which could include data exfiltration, privilege escalation, or further system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-57219 can lead to severe consequences for organizations using affected RabbitMQ configurations. The primary impact is the unauthorized disclosure of OAuth client credentials, which can then be used to gain unauthorized access to various systems and data within the victim's environment. This could result in widespread data breaches, financial losses, and significant reputational damage. The unauthorized access may extend to sensitive internal systems, cloud services, or applications that rely on RabbitMQ's OAuth integration, potentially compromising customer data, intellectual property, and critical infrastructure. No specific victim counts or targeted sectors have been publicly identified at this time, but any organization using vulnerable RabbitMQ configurations is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch RabbitMQ instances to a version that addresses CVE-2026-57219 to prevent unauthenticated credential disclosure.\u003c/li\u003e\n\u003cli\u003eReview all existing RabbitMQ OAuth 2 configurations to identify and remediate any \u0026quot;less common\u0026quot; or non-standard setups that could be susceptible to CVE-2026-57219.\u003c/li\u003e\n\u003cli\u003eMonitor RabbitMQ HTTP access logs and associated authentication logs for unusual or unauthenticated access attempts to API endpoints that handle OAuth configurations.\u003c/li\u003e\n\u003cli\u003eImplement robust monitoring of all services that utilize OAuth clients managed by RabbitMQ for any anomalous authentication patterns or unauthorized access attempts using newly disclosed credentials.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-15T07:42:55Z","date_published":"2026-07-15T07:42:55Z","id":"https://feed.craftedsignal.io/briefs/2026-07-rabbitmq-oauth-disclosure/","summary":"CVE-2026-57219 describes an unauthenticated disclosure vulnerability in RabbitMQ, allowing an attacker to obtain OAuth client credentials via an HTTP API endpoint when RabbitMQ is configured with certain less common OAuth 2 configurations, potentially leading to unauthorized access to other systems or services.","title":"RabbitMQ Unauthenticated OAuth Client Credential Disclosure via HTTP API (CVE-2026-57219)","url":"https://feed.craftedsignal.io/briefs/2026-07-rabbitmq-oauth-disclosure/"}],"language":"en","title":"CraftedSignal Threat Feed - Cpe:2.3:a:broadcom:rabbitmq_server:*:*:*:*:*:*:*:*","version":"https://jsonfeed.org/version/1.1"}