CVE-2026-57215
RabbitMQ
CVSS Details
Description
RabbitMQ allows foreign bindings to amq.rabbitmq.reply-to.* destinations due to a mismatch between volatile direct-reply-to queue handling and Khepri-backed binding deletion. Direct-reply-to queue names are treated as valid targets at bind and route time, but they are not persisted as queue records in Khepri, so during unbind the deletion can return ok without deleting the route entry when the volatile destination is missing from the store. An authenticated tenant with normal bind/publish permissions in a shared vhost can leave persistent poisoned routes that enable unsolicited reply-channel injection and silent routing loss conditions on affected exchanges. This issue affects RabbitMQ from 4.2.0 before 4.2.6, 4.1.0 before 4.1.11, 4.0.0 before 4.0.20, and 3.13.0 before 3.13.15. Reported by Cantina.