RabbitMQ Security
As the steward of RabbitMQ, we at Broadcom take the security of RabbitMQ very seriously.
How to Report a Vulnerability
To responsibly disclose a vulnerability:
- Navigate to the
Security and qualitytab of the relevant repository on GitHub. For example:rabbitmq/rabbitmq-serverfor the core brokerrabbitmq/rabbitmq-amqp-java-clientfor the RabbitMQ AMQP 1.0 Java clientrabbitmq/cluster-operatorfor the RabbitMQ Kubernetes cluster operator
- Click
Report a vulnerabilityto open a private advisory draft. - Provide details, including steps to reproduce.
If you are unable to use GitHub Security Advisories, you can email tnz-rabbitmq-core.pdl@broadcom.com.
Our team will review the report, triage it, and work with you to resolve the issue privately before issuing a public patch and advisory.
Please do not report security vulnerabilities via public GitHub issues, public mailing lists, or public Discord channels.
Security Advisories
For commercial Broadcom / VMware Tanzu Customers
If you are a commercial customer using VMware Tanzu RabbitMQ or other commercial distributions, please refer to the Broadcom Security Advisories.
The Broadcom Support Portal is the authoritative source of truth for all commercial releases. It includes comprehensive vulnerability information, including CVEs in dependencies and underlying Erlang runtime that are not listed on this page.
You can search the Broadcom Security Advisories for a specific RabbitMQ version. For example, if you type RabbitMQ 4.2.8 into the search box, you will see the security advisory for that specific release.
Open Source Advisories
For convenience, the table below lists all public security advisories across the RabbitMQ GitHub organization.
| CVE ID | Date Published 🔽 | Severity | Repository | Summary | Affected Versions | Patched Versions |
|---|---|---|---|---|---|---|
| CVE-2026-57215 | 2026年06月24日 | High | rabbitmq-server | Direct-reply-to binding persistence can lead to unauthorized reply-channel injection and persistent phantom | >= 4.2.0, < 4.2.6>= 4.1.0, < 4.1.11>= 4.0.0, < 4.0.20>= 3.13.0, < 3.13.15 | |
| CVE-2026-57216 | 2026年06月24日 | Medium | rabbitmq-server | AMQP 1.0, AMQP 0-9-1, Stream Protocol loopback enforcement can lead to remote guest sessions due to listener-address loopback checks | >= 4.2.0, < 4.2.6>= 4.1.0, < 4.1.11>= 4.0.0, < 4.0.20>= 3.13.0, < 3.13.15 | |
| CVE-2026-57217 | 2026年06月24日 | High | rabbitmq-server | Topic authorization can lead to cross-tenant routing-key bypass | >= 4.2.0, < 4.2.6>= 4.1.0, < 4.1.11>= 4.0.0, < 4.0.21>= 3.13.0, < 3.13.15 | |
| CVE-2026-57218 | 2026年06月24日 | Medium | rabbitmq-server | AMQP 0-9-1 in combination with OAuth 2: consumer persistence can lead to post-revocation message disclosure | >= 4.2.0, < 4.2.6 | |
| CVE-2026-57220 | 2026年06月24日 | High | rabbitmq-server | Stream listener does not enforce configured frame-size limit during authentication, permitting unauth'd mem-exhaust DoS | >= 4.2.0, < 4.2.6 | |
| CVE-2026-57221 | 2026年06月24日 | Medium | rabbitmq-server | Passive queue/exchange declaration bypasses authorization checks, leaking queue metadata to unprivileged users | >= 4.2.0, < 4.2.6>= 4.1.0, < 4.1.11>= 4.0.0, < 4.0.20>= 3.13.0, < 3.13.15 | |
| CVE-2026-57219 | 2026年06月24日 | High | rabbitmq-server | Unauthenticated disclosure of OAuth client credentials via an HTTP API endpoint with certain less common OAuth 2 configurations | >= 4.2.0, < 4.2.6>= 4.1.0, < 4.1.11>= 4.0.0, < 4.0.20>= 3.13.0, < 3.13.15 | |
| CVE-2026-57214 | 2026年06月18日 | High | rabbitmq-server | Stored XSS in RabbitMQ management UI | >= 4.2.0, < 4.2.5 | |
| CVE-2026-57213 | 2026年06月18日 | Medium | rabbitmq-server | Stored XSS in RabbitMQ federation management plugin via unsanitized consumer_tag rendering | >= 4.2.0, < 4.2.5>= 4.1.0, < 4.1.10>= 4.0.0, < 4.0.19>= 3.13.0, < 3.13.14 | |
| CVE-2026-57212 | 2026年06月18日 | High | rabbitmq-server | RabbitMQ management HTTP API accepts request bodies larger than configured max_http_body_size | >= 4.2.0, < 4.2.5>= 4.1.0, < 4.1.10>= 4.0.0, < 4.0.19>= 3.13.0, < 3.13.14 | |
| CVE-2026-57211 | 2026年06月18日 | Medium | rabbitmq-server | UNC SSRF affecting RabbitMQ management UI on Windows | >= 4.2.0, < 4.2.6>= 4.1.0, < 4.1.11 | |
| CVE-2026-44839 | 2026年05月06日 | Medium | rabbitmq-server | Unsanitized vhost names allow for XSS in management UI | >= 4.1.0, < 4.1.2>= 4.0.0, < 4.0.13 | |
| CVE-2026-44838 | 2026年05月06日 | Medium | rabbitmq-server | RabbitMQ MQTT Topic Permission Authorization Bypass | >= 4.2.0, < 4.2.4 | |
| CVE-2025-50200 | 2025年06月18日 | Medium | rabbitmq-server | Node can log Basic Auth header from an HTTP request | >= 4.0.0, < 4.0.8>= 3.13.0, < 3.13.8 | |
| CVE-2025-30219 | 2025年03月25日 | Medium | rabbitmq-server | XSS Vulnerability in an Error Message in Management UI | >= 4.0.0, < 4.0.3>= 3.13.0, < 3.13.8 | |
| CVE-2024-51988 | 2024年11月06日 | Medium | rabbitmq-server | HTTP API's queue deletion endpoint does not verify that the user has a required permission | > 3.12.7, < 3.12.11 | |
| CVE-2023-46118 | 2023年10月23日 | Medium | rabbitmq-server | Denial of Service by publishing large messages over the HTTP API | >= 3.12.0, < 3.12.7>= 3.11.0, < 3.11.24 | |
| CVE-2023-46120 | 2023年10月23日 | Medium | rabbitmq-java-client | No message size limit in RabbitMQ Java client can lead to a remote DoS attack of consumer applications | < 5.18.0 | 5.18.0 |
| CVE-2022-31008 | 2022年10月05日 | Medium | rabbitmq-server | Predictable credential obfuscation seed value used in Shovel and Federation plugins | >= 3.10.0, <3.10.2>= 3.9.0, <3.9.18>= 3.8.0, <3.8.32 | |
| CVE-2021-32718 | 2021年06月27日 | Low | rabbitmq-server | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in RabbitMQ management UI | < 3.8.17 | |
| CVE-2021-32719 | 2021年06月27日 | Low | rabbitmq-server | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in RabbitMQ federation management plugin | < 3.8.18 |