Skip to main content

RabbitMQ Security

As the steward of RabbitMQ, we at Broadcom take the security of RabbitMQ very seriously.

How to Report a Vulnerability

To responsibly disclose a vulnerability:

  1. Navigate to the Security and quality tab of the relevant repository on GitHub. For example:
  2. Click Report a vulnerability to open a private advisory draft.
  3. Provide details, including steps to reproduce.

If you are unable to use GitHub Security Advisories, you can email tnz-rabbitmq-core.pdl@broadcom.com.

Our team will review the report, triage it, and work with you to resolve the issue privately before issuing a public patch and advisory.

Please do not report security vulnerabilities via public GitHub issues, public mailing lists, or public Discord channels.

Security Advisories

For commercial Broadcom / VMware Tanzu Customers

If you are a commercial customer using VMware Tanzu RabbitMQ or other commercial distributions, please refer to the Broadcom Security Advisories.

The Broadcom Support Portal is the authoritative source of truth for all commercial releases. It includes comprehensive vulnerability information, including CVEs in dependencies and underlying Erlang runtime that are not listed on this page.

tip

You can search the Broadcom Security Advisories for a specific RabbitMQ version. For example, if you type RabbitMQ 4.2.8 into the search box, you will see the security advisory for that specific release.

Open Source Advisories

For convenience, the table below lists all public security advisories across the RabbitMQ GitHub organization.

CVE IDDate Published 🔽SeverityRepositorySummaryAffected VersionsPatched Versions
CVE-2026-572152026-06-24Highrabbitmq-serverDirect-reply-to binding persistence can lead to unauthorized reply-channel injection and persistent phantom
>= 4.2.0, < 4.2.6>= 4.1.0, < 4.1.11>= 4.0.0, < 4.0.20>= 3.13.0, < 3.13.15
CVE-2026-572162026-06-24Mediumrabbitmq-serverAMQP 1.0, AMQP 0-9-1, Stream Protocol loopback enforcement can lead to remote guest sessions due to listener-address loopback checks
>= 4.2.0, < 4.2.6>= 4.1.0, < 4.1.11>= 4.0.0, < 4.0.20>= 3.13.0, < 3.13.15
CVE-2026-572172026-06-24Highrabbitmq-serverTopic authorization can lead to cross-tenant routing-key bypass
>= 4.2.0, < 4.2.6>= 4.1.0, < 4.1.11>= 4.0.0, < 4.0.21>= 3.13.0, < 3.13.15
CVE-2026-572182026-06-24Mediumrabbitmq-serverAMQP 0-9-1 in combination with OAuth 2: consumer persistence can lead to post-revocation message disclosure
>= 4.2.0, < 4.2.6
CVE-2026-572202026-06-24Highrabbitmq-serverStream listener does not enforce configured frame-size limit during authentication, permitting unauth'd mem-exhaust DoS
>= 4.2.0, < 4.2.6
CVE-2026-572212026-06-24Mediumrabbitmq-serverPassive queue/exchange declaration bypasses authorization checks, leaking queue metadata to unprivileged users
>= 4.2.0, < 4.2.6>= 4.1.0, < 4.1.11>= 4.0.0, < 4.0.20>= 3.13.0, < 3.13.15
CVE-2026-572192026-06-24Highrabbitmq-serverUnauthenticated disclosure of OAuth client credentials via an HTTP API endpoint with certain less common OAuth 2 configurations
>= 4.2.0, < 4.2.6>= 4.1.0, < 4.1.11>= 4.0.0, < 4.0.20>= 3.13.0, < 3.13.15
CVE-2026-572142026-06-18Highrabbitmq-serverStored XSS in RabbitMQ management UI
>= 4.2.0, < 4.2.5
CVE-2026-572132026-06-18Mediumrabbitmq-serverStored XSS in RabbitMQ federation management plugin via unsanitized consumer_tag rendering
>= 4.2.0, < 4.2.5>= 4.1.0, < 4.1.10>= 4.0.0, < 4.0.19>= 3.13.0, < 3.13.14
CVE-2026-572122026-06-18Highrabbitmq-serverRabbitMQ management HTTP API accepts request bodies larger than configured max_http_body_size
>= 4.2.0, < 4.2.5>= 4.1.0, < 4.1.10>= 4.0.0, < 4.0.19>= 3.13.0, < 3.13.14
CVE-2026-572112026-06-18Mediumrabbitmq-serverUNC SSRF affecting RabbitMQ management UI on Windows
>= 4.2.0, < 4.2.6>= 4.1.0, < 4.1.11
CVE-2026-448392026-05-06Mediumrabbitmq-serverUnsanitized vhost names allow for XSS in management UI
>= 4.1.0, < 4.1.2>= 4.0.0, < 4.0.13
CVE-2026-448382026-05-06Mediumrabbitmq-serverRabbitMQ MQTT Topic Permission Authorization Bypass
>= 4.2.0, < 4.2.4
CVE-2025-502002025-06-18Mediumrabbitmq-serverNode can log Basic Auth header from an HTTP request
>= 4.0.0, < 4.0.8>= 3.13.0, < 3.13.8
CVE-2025-302192025-03-25Mediumrabbitmq-serverXSS Vulnerability in an Error Message in Management UI
>= 4.0.0, < 4.0.3>= 3.13.0, < 3.13.8
CVE-2024-519882024-11-06Mediumrabbitmq-serverHTTP API's queue deletion endpoint does not verify that the user has a required permission
> 3.12.7, < 3.12.11
CVE-2023-461182023-10-23Mediumrabbitmq-serverDenial of Service by publishing large messages over the HTTP API
>= 3.12.0, < 3.12.7>= 3.11.0, < 3.11.24
CVE-2023-461202023-10-23Mediumrabbitmq-java-clientNo message size limit in RabbitMQ Java client can lead to a remote DoS attack of consumer applications
< 5.18.0
5.18.0
CVE-2022-310082022-10-05Mediumrabbitmq-serverPredictable credential obfuscation seed value used in Shovel and Federation plugins
>= 3.10.0, <3.10.2>= 3.9.0, <3.9.18>= 3.8.0, <3.8.32
CVE-2021-327182021-06-27Lowrabbitmq-serverImproper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in RabbitMQ management UI
< 3.8.17
CVE-2021-327192021-06-27Lowrabbitmq-serverImproper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in RabbitMQ federation management plugin
< 3.8.18