Skip to main content

RabbitMQ Security

As the steward of RabbitMQ, we at Broadcom take the security of RabbitMQ very seriously.

How to Report a Vulnerability

To responsibly disclose a vulnerability:

  1. Navigate to the Security and quality tab of the relevant repository on GitHub. For example:
  2. Click Report a vulnerability to open a private advisory draft.
  3. Provide details, including steps to reproduce.

If you are unable to use GitHub Security Advisories, you can email tnz-rabbitmq-core.pdl@broadcom.com.

Our team will review the report, triage it, and work with you to resolve the issue privately before issuing a public patch and advisory.

Please do not report security vulnerabilities via public GitHub issues, public mailing lists, or public Discord channels.

Security Advisories

For commercial Broadcom / VMware Tanzu Customers

If you are a commercial customer using VMware Tanzu RabbitMQ or other commercial distributions, please refer to the Broadcom Security Advisories.

The Broadcom Support Portal is the authoritative source of truth for all commercial releases. It includes comprehensive vulnerability information, including CVEs in dependencies and underlying Erlang runtime that are not listed on this page.

tip

You can search the Broadcom Security Advisories for a specific RabbitMQ version. For example, if you type RabbitMQ 4.2.8 into the search box, you will see the security advisory for that specific release.

Open Source Advisories

For convenience, the table below lists all public security advisories across the RabbitMQ GitHub organization.

CVE IDDate Published 🔽SeverityRepositorySummaryAffected VersionsPatched Versions
CVE-2026-57215 2026年06月24日Highrabbitmq-server Direct-reply-to binding persistence can lead to unauthorized reply-channel injection and persistent phantom
>= 4.2.0, < 4.2.6>= 4.1.0, < 4.1.11>= 4.0.0, < 4.0.20>= 3.13.0, < 3.13.15
CVE-2026-57216 2026年06月24日Mediumrabbitmq-server AMQP 1.0, AMQP 0-9-1, Stream Protocol loopback enforcement can lead to remote guest sessions due to listener-address loopback checks
>= 4.2.0, < 4.2.6>= 4.1.0, < 4.1.11>= 4.0.0, < 4.0.20>= 3.13.0, < 3.13.15
CVE-2026-57217 2026年06月24日Highrabbitmq-server Topic authorization can lead to cross-tenant routing-key bypass
>= 4.2.0, < 4.2.6>= 4.1.0, < 4.1.11>= 4.0.0, < 4.0.21>= 3.13.0, < 3.13.15
CVE-2026-57218 2026年06月24日Mediumrabbitmq-server AMQP 0-9-1 in combination with OAuth 2: consumer persistence can lead to post-revocation message disclosure
>= 4.2.0, < 4.2.6
CVE-2026-57220 2026年06月24日Highrabbitmq-server Stream listener does not enforce configured frame-size limit during authentication, permitting unauth'd mem-exhaust DoS
>= 4.2.0, < 4.2.6
CVE-2026-57221 2026年06月24日Mediumrabbitmq-server Passive queue/exchange declaration bypasses authorization checks, leaking queue metadata to unprivileged users
>= 4.2.0, < 4.2.6>= 4.1.0, < 4.1.11>= 4.0.0, < 4.0.20>= 3.13.0, < 3.13.15
CVE-2026-57219 2026年06月24日Highrabbitmq-server Unauthenticated disclosure of OAuth client credentials via an HTTP API endpoint with certain less common OAuth 2 configurations
>= 4.2.0, < 4.2.6>= 4.1.0, < 4.1.11>= 4.0.0, < 4.0.20>= 3.13.0, < 3.13.15
CVE-2026-57214 2026年06月18日Highrabbitmq-server Stored XSS in RabbitMQ management UI
>= 4.2.0, < 4.2.5
CVE-2026-57213 2026年06月18日Mediumrabbitmq-server Stored XSS in RabbitMQ federation management plugin via unsanitized consumer_tag rendering
>= 4.2.0, < 4.2.5>= 4.1.0, < 4.1.10>= 4.0.0, < 4.0.19>= 3.13.0, < 3.13.14
CVE-2026-57212 2026年06月18日Highrabbitmq-server RabbitMQ management HTTP API accepts request bodies larger than configured max_http_body_size
>= 4.2.0, < 4.2.5>= 4.1.0, < 4.1.10>= 4.0.0, < 4.0.19>= 3.13.0, < 3.13.14
CVE-2026-57211 2026年06月18日Mediumrabbitmq-server UNC SSRF affecting RabbitMQ management UI on Windows
>= 4.2.0, < 4.2.6>= 4.1.0, < 4.1.11
CVE-2026-44839 2026年05月06日Mediumrabbitmq-server Unsanitized vhost names allow for XSS in management UI
>= 4.1.0, < 4.1.2>= 4.0.0, < 4.0.13
CVE-2026-44838 2026年05月06日Mediumrabbitmq-server RabbitMQ MQTT Topic Permission Authorization Bypass
>= 4.2.0, < 4.2.4
CVE-2025-50200 2025年06月18日Mediumrabbitmq-server Node can log Basic Auth header from an HTTP request
>= 4.0.0, < 4.0.8>= 3.13.0, < 3.13.8
CVE-2025-30219 2025年03月25日Mediumrabbitmq-server XSS Vulnerability in an Error Message in Management UI
>= 4.0.0, < 4.0.3>= 3.13.0, < 3.13.8
CVE-2024-51988 2024年11月06日Mediumrabbitmq-server HTTP API's queue deletion endpoint does not verify that the user has a required permission
> 3.12.7, < 3.12.11
CVE-2023-46118 2023年10月23日Mediumrabbitmq-server Denial of Service by publishing large messages over the HTTP API
>= 3.12.0, < 3.12.7>= 3.11.0, < 3.11.24
CVE-2023-46120 2023年10月23日Mediumrabbitmq-java-client No message size limit in RabbitMQ Java client can lead to a remote DoS attack of consumer applications
< 5.18.0
5.18.0
CVE-2022-31008 2022年10月05日Mediumrabbitmq-server Predictable credential obfuscation seed value used in Shovel and Federation plugins
>= 3.10.0, <3.10.2>= 3.9.0, <3.9.18>= 3.8.0, <3.8.32
CVE-2021-32718 2021年06月27日Lowrabbitmq-server Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in RabbitMQ management UI
< 3.8.17
CVE-2021-32719 2021年06月27日Lowrabbitmq-server Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in RabbitMQ federation management plugin
< 3.8.18

AltStyle によって変換されたページ (->オリジナル) /