Aug 4-6 · Las VegasCantina is at Black Hat USA · Booth 5200, AI ZoneBook a meeting
incorrect-authorization

CVE-2026-57215

RabbitMQ

High

CVSS Details

CVSS Score
7.0 HIGH
Vector String
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
Weakness
CWE-863 Incorrect Authorization

Description

RabbitMQ allows foreign bindings to amq.rabbitmq.reply-to.* destinations due to a mismatch between volatile direct-reply-to queue handling and Khepri-backed binding deletion. Direct-reply-to queue names are treated as valid targets at bind and route time, but they are not persisted as queue records in Khepri, so during unbind the deletion can return ok without deleting the route entry when the volatile destination is missing from the store. An authenticated tenant with normal bind/publish permissions in a shared vhost can leave persistent poisoned routes that enable unsolicited reply-channel injection and silent routing loss conditions on affected exchanges. This issue affects RabbitMQ from 4.2.0 before 4.2.6, 4.1.0 before 4.1.11, 4.0.0 before 4.0.20, and 3.13.0 before 3.13.15. Reported by Cantina.

Disclosure Date

Public Disclosure
June 24, 2026