CVE-2026-57218
RabbitMQ
CVSS Details
Description
RabbitMQ AMQP 0-9-1 in combination with OAuth 2 allows a pre-existing consumer to keep receiving messages after OAuth token expiry and after a connection.update_secret refresh to reduced scopes, due to missing delivery-time reauthorization for already-registered consumers. The connection.update_secret path updates the user state on channels, but the channel-side handler only assigns the new user object and does not cancel or recheck existing consumers, so message delivery proceeds without a fresh authorization callback per delivery. A client that once had read access can continue receiving future queue messages on an already-established AMQP 0-9-1 consumer after its token has expired or been downgraded. This issue affects RabbitMQ from 4.2.0 before 4.2.6 and was fixed in 4.2.6. Reported by Cantina.