Aug 4-6 · Las VegasCantina is at Black Hat USA · Booth 5200, AI ZoneBook a meeting
incorrect-authorization

CVE-2026-57218

RabbitMQ

Medium

CVSS Details

CVSS Score
4.9 MEDIUM
Vector String
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N
Weakness
CWE-863 Incorrect Authorization

Description

RabbitMQ AMQP 0-9-1 in combination with OAuth 2 allows a pre-existing consumer to keep receiving messages after OAuth token expiry and after a connection.update_secret refresh to reduced scopes, due to missing delivery-time reauthorization for already-registered consumers. The connection.update_secret path updates the user state on channels, but the channel-side handler only assigns the new user object and does not cancel or recheck existing consumers, so message delivery proceeds without a fresh authorization callback per delivery. A client that once had read access can continue receiving future queue messages on an already-established AMQP 0-9-1 consumer after its token has expired or been downgraded. This issue affects RabbitMQ from 4.2.0 before 4.2.6 and was fixed in 4.2.6. Reported by Cantina.

Disclosure Date

Public Disclosure
June 24, 2026