<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cpe:2.3:a:broadcom:rabbitmq_server:*:*:*:*:*:*:*:* - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/cpes/cpe2.3abroadcomrabbitmq_server/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 15 Jul 2026 07:47:21 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/cpes/cpe2.3abroadcomrabbitmq_server/feed.xml" rel="self" type="application/rss+xml"/><item><title>RabbitMQ Management UI UNC SSRF Vulnerability (CVE-2026-57211) on Windows</title><link>https://feed.craftedsignal.io/briefs/2026-07-rabbitmq-unc-ssrf/</link><pubDate>Wed, 15 Jul 2026 07:47:21 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-rabbitmq-unc-ssrf/</guid><description>CVE-2026-57211 details a Server-Side Request Forgery (SSRF) vulnerability within the RabbitMQ management UI when deployed on Windows, enabling an attacker to coerce the server into making requests to arbitrary UNC paths, potentially leading to NTLM credential disclosure or internal network reconnaissance.</description><content:encoded><![CDATA[<p>CVE-2026-57211, disclosed by Microsoft, describes a Server-Side Request Forgery (SSRF) vulnerability specifically affecting the RabbitMQ management UI when hosted on Windows operating systems. This vulnerability allows an unauthenticated remote attacker to craft requests that force the vulnerable RabbitMQ server to initiate outbound connections to arbitrary Universal Naming Convention (UNC) paths. This critical flaw could enable attackers to perform NTLM credential relay attacks by pointing the server to a malicious SMB share, leading to credential theft, or to conduct internal network reconnaissance by attempting connections to various internal network resources via UNC paths. While the advisory does not specify observed exploitation, the nature of SSRF in a management interface presents a significant risk to internal network security. Organizations utilizing RabbitMQ on Windows are strongly advised to review and apply the necessary security updates.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated remote attacker identifies a RabbitMQ instance running its management UI on a Windows server.</li>
<li>The attacker crafts a malicious HTTP request to the RabbitMQ management UI.</li>
<li>This crafted request includes a parameter or payload designed to trigger the Server-Side Request Forgery (SSRF) vulnerability.</li>
<li>The vulnerability causes the RabbitMQ server to attempt to initiate an outbound network connection to an attacker-controlled Universal Naming Convention (UNC) path (e.g., <code>\\attacker-ip\share</code>).</li>
<li>If the attacker controls an SMB server at the specified UNC path, the Windows server hosting RabbitMQ will attempt NTLM authentication, sending its hashed credentials.</li>
<li>The attacker captures these NTLM hashes, which can then be cracked offline or used in NTLM relay attacks to gain unauthorized access to other services or systems within the internal network.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-57211 can lead to significant information disclosure and potential lateral movement within an organization's network. Attackers can leverage the SSRF to force the RabbitMQ server to connect to arbitrary internal or external UNC paths. This can result in NTLM credential leakage, where the server's NTLM hash is sent to an attacker-controlled SMB share, allowing for offline cracking or NTLM relay attacks. Furthermore, the ability to make arbitrary outbound connections can be used for internal network reconnaissance, mapping network topologies, and identifying other vulnerable services or devices, escalating the potential for further compromise.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply the security update addressing CVE-2026-57211 released by VMware immediately to all affected RabbitMQ installations running on Windows.</li>
<li>Restrict outbound network connections from RabbitMQ servers to only necessary and trusted destinations to mitigate the impact of SSRF vulnerabilities.</li>
<li>Implement host-based firewalls or network segmentation to prevent RabbitMQ servers from initiating SMB connections to arbitrary UNC paths or untrusted internal hosts.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>vulnerability</category><category>ssrf</category><category>rabbitmq</category><category>windows</category><category>msrc</category></item><item><title>RabbitMQ Topic Authorization Bypass via Cross-Tenant Routing-Key Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2026-07-rabbitmq-topic-bypass/</link><pubDate>Wed, 15 Jul 2026 07:46:30 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-rabbitmq-topic-bypass/</guid><description>CVE-2026-57217 details a vulnerability in RabbitMQ where topic authorization can be bypassed, leading to cross-tenant routing-key bypass, potentially allowing unauthorized access to or manipulation of routing keys in a multi-tenant environment.</description><content:encoded><![CDATA[<p>CVE-2026-57217 identifies a critical authorization bypass vulnerability within RabbitMQ's topic exchange mechanism. This flaw could allow an attacker, particularly in a multi-tenant environment, to bypass established topic authorization rules and gain unauthorized access to or manipulate routing keys. While the specific method of exploitation is not detailed in the available public information, a successful attack could lead to a compromise of message integrity, confidentiality, or availability. Attackers could potentially reroute messages to unintended recipients, read messages not intended for them, or inject malicious messages into a tenant's message queues. This vulnerability impacts RabbitMQ installations where topic exchanges are used, especially in shared or multi-tenant deployments where strict message isolation is critical. Organizations utilizing RabbitMQ are advised to address this vulnerability promptly to prevent potential data breaches or service disruptions.</p>
<h2 id="impact">Impact</h2>
<p>A successful exploitation of CVE-2026-57217 in RabbitMQ could lead to significant security breaches in multi-tenant or shared messaging environments. Attackers could achieve unauthorized access to sensitive data by intercepting messages intended for other tenants or users. They might also manipulate routing keys to inject malicious messages, leading to data corruption, denial-of-service for specific applications, or further lateral movement within compromised systems. The integrity and confidentiality of message-based communications could be severely undermined, potentially affecting all tenants sharing a vulnerable RabbitMQ instance.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-57217 on all affected RabbitMQ instances immediately according to vendor guidelines.</li>
<li>Monitor RabbitMQ server logs for any unusual message routing, unexpected queue bindings, or unauthorized access attempts to topic exchanges.</li>
<li>Implement robust monitoring for RabbitMQ access controls and audit logs for changes in permissions or user activity related to message queues.</li>
</ul>
]]></content:encoded><category domain="severity">low</category><category domain="type">advisory</category><category>rabbitmq</category><category>vulnerability</category><category>authorization-bypass</category></item><item><title>RabbitMQ Stream Listener Vulnerability CVE-2026-57220 Allows Unauthenticated Memory Exhaustion DoS</title><link>https://feed.craftedsignal.io/briefs/2026-07-rabbitmq-memexhaust-dos/</link><pubDate>Wed, 15 Jul 2026 07:45:46 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-rabbitmq-memexhaust-dos/</guid><description>A denial-of-service vulnerability, CVE-2026-57220, exists in the RabbitMQ stream listener that allows an unauthenticated attacker to exhaust memory resources by not properly enforcing frame-size limits during authentication, leading to service disruption.</description><content:encoded><![CDATA[<p>A critical denial-of-service (DoS) vulnerability, tracked as CVE-2026-57220, has been disclosed in the RabbitMQ Stream listener component. This flaw stems from an insufficient enforcement of configured frame-size limits during the authentication process. An unauthenticated remote attacker can exploit this vulnerability by sending specially crafted stream data frames that exceed expected size restrictions. The RabbitMQ Stream listener, failing to properly validate these frames, will attempt to process them, leading to excessive memory allocation and eventual memory exhaustion of the server process. This can cause the RabbitMQ service to crash or become unresponsive, resulting in a denial of service for legitimate users. This vulnerability impacts installations utilizing the RabbitMQ Stream listener, posing a significant risk to the availability of message queuing services.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker establishes a TCP connection to the vulnerable RabbitMQ Stream listener port.</li>
<li>The attacker initiates the authentication handshake with the RabbitMQ Stream listener.</li>
<li>During the authentication phase, the attacker sends a continuous stream of data.</li>
<li>The attacker crafts the stream to contain oversized data frames that intentionally violate the configured frame-size limits.</li>
<li>Due to CVE-2026-57220, the RabbitMQ Stream listener fails to correctly apply the frame-size limits during this specific pre-authentication stage.</li>
<li>The listener attempts to buffer and process these excessively large frames in memory.</li>
<li>This continuous influx of oversized frames causes the RabbitMQ process to rapidly consume available system memory.</li>
<li>Memory exhaustion occurs, leading to the RabbitMQ service crashing or becoming unresponsive, effectively achieving a denial of service.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-57220 leads to an immediate and complete denial of service for the affected RabbitMQ instance. As the attack is unauthenticated, any internet-facing or internally accessible RabbitMQ Stream listener is vulnerable to disruption. Organizations relying on RabbitMQ for critical message queuing, task distribution, or real-time communication will experience severe operational outages, data processing delays, and potential data loss if the service crashes. The ease of exploitation and potential for significant business impact categorize this as a high-severity threat requiring urgent remediation.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-57220 immediately on all affected RabbitMQ Stream listener deployments to mitigate the unauthenticated memory exhaustion vulnerability.</li>
</ul>
]]></content:encoded><category domain="severity">low</category><category domain="type">advisory</category><category>denial-of-service</category><category>vulnerability</category><category>rabbitmq</category></item><item><title>RabbitMQ Unauthenticated OAuth Client Credential Disclosure via HTTP API (CVE-2026-57219)</title><link>https://feed.craftedsignal.io/briefs/2026-07-rabbitmq-oauth-disclosure/</link><pubDate>Wed, 15 Jul 2026 07:42:55 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-rabbitmq-oauth-disclosure/</guid><description>CVE-2026-57219 describes an unauthenticated disclosure vulnerability in RabbitMQ, allowing an attacker to obtain OAuth client credentials via an HTTP API endpoint when RabbitMQ is configured with certain less common OAuth 2 configurations, potentially leading to unauthorized access to other systems or services.</description><content:encoded><![CDATA[<p>CVE-2026-57219 identifies a critical vulnerability in RabbitMQ, specifically affecting instances configured with certain less common OAuth 2 configurations. This flaw allows an unauthenticated attacker to obtain sensitive OAuth client credentials directly via an HTTP API endpoint. The vulnerability stems from an improper handling mechanism when these specific OAuth 2 configurations are in use, leading to the unintended disclosure of client secrets and other credential information. While the exact &quot;less common&quot; configurations are not detailed, their presence creates a window for attackers to gain unauthorized access to any services or applications that rely on these compromised OAuth clients for authentication. This vulnerability could lead to significant security breaches, including data exfiltration, privilege escalation, and lateral movement within an affected organization's network, as the stolen credentials can be leveraged to impersonate legitimate services or users.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Reconnaissance &amp; Configuration Identification</strong>: An attacker identifies an internet-facing RabbitMQ instance within a target organization and attempts to determine if it is utilizing the &quot;less common OAuth 2 configurations&quot; described in CVE-2026-57219.</li>
<li><strong>Vulnerability Exploitation</strong>: The attacker sends a specially crafted, unauthenticated HTTP request to a specific vulnerable HTTP API endpoint exposed by the RabbitMQ server.</li>
<li><strong>Credential Disclosure</strong>: Due to the flaw described in CVE-2026-57219, the RabbitMQ instance responds to this unauthenticated request by inadvertently disclosing sensitive OAuth client credentials, such as client IDs and client secrets.</li>
<li><strong>Credential Exfiltration</strong>: The attacker parses the HTTP response and extracts the disclosed OAuth client credentials, often through automated tools.</li>
<li><strong>Unauthorized Authentication</strong>: The attacker then uses the stolen OAuth client credentials to authenticate to other services or applications that trust the compromised RabbitMQ instance or utilize these specific OAuth clients for identity management.</li>
<li><strong>Lateral Movement &amp; Access</strong>: Successful authentication grants the attacker unauthorized access to internal systems, data repositories, or other resources that are accessible via the stolen credentials, facilitating lateral movement within the network.</li>
<li><strong>Impact Fulfillment</strong>: The attacker leverages this unauthorized access to achieve their objectives, which could include data exfiltration, privilege escalation, or further system compromise.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-57219 can lead to severe consequences for organizations using affected RabbitMQ configurations. The primary impact is the unauthorized disclosure of OAuth client credentials, which can then be used to gain unauthorized access to various systems and data within the victim's environment. This could result in widespread data breaches, financial losses, and significant reputational damage. The unauthorized access may extend to sensitive internal systems, cloud services, or applications that rely on RabbitMQ's OAuth integration, potentially compromising customer data, intellectual property, and critical infrastructure. No specific victim counts or targeted sectors have been publicly identified at this time, but any organization using vulnerable RabbitMQ configurations is at risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately patch RabbitMQ instances to a version that addresses CVE-2026-57219 to prevent unauthenticated credential disclosure.</li>
<li>Review all existing RabbitMQ OAuth 2 configurations to identify and remediate any &quot;less common&quot; or non-standard setups that could be susceptible to CVE-2026-57219.</li>
<li>Monitor RabbitMQ HTTP access logs and associated authentication logs for unusual or unauthenticated access attempts to API endpoints that handle OAuth configurations.</li>
<li>Implement robust monitoring of all services that utilize OAuth clients managed by RabbitMQ for any anomalous authentication patterns or unauthorized access attempts using newly disclosed credentials.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>vulnerability</category><category>credential-access</category><category>rabbitmq</category><category>broadcom</category></item></channel></rss>