CVE-2026-57219

Source
https://cve.org/CVERecord?id=CVE-2026-57219
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-57219.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-57219
Aliases
  • GHSA-pj24-8j6m-vq9q
Downstream
Published
2026-07-10T20:22:26.516Z
Modified
2026-07-16T03:48:43.591937777Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N CVSS Calculator
Summary
RabbitMQ: Unauthenticated disclosure of OAuth client credentials via an HTTP API endpoint with certain less common OAuth 2 configurations
Details

RabbitMQ is a messaging and streaming broker. Prior to 3.13.15, 4.0.20, 4.1.11, and 4.2.6, the obsolete GET /api/auth endpoint can disclose the OAuth 2 client secret on RabbitMQ installations configured with management.oauthclientsecret, exposing credentials to unauthenticated callers when the management plugin and that OAuth configuration are enabled. This issue is fixed in versions 3.13.15, 4.0.20, 4.1.11, and 4.2.6.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/57xxx/CVE-2026-57219.json",
    "cwe_ids": [
        "CWE-200"
    ],
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "introduced": "4.1.0"
                },
                {
                    "fixed": "4.1.11"
                },
                {
                    "introduced": "4.0.0"
                },
                {
                    "fixed": "4.0.21"
                },
                {
                    "introduced": "3.13.0"
                },
                {
                    "fixed": "3.13.15"
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/rabbitmq/rabbitmq-server

Affected ranges

Type
GIT
Repo
https://github.com/rabbitmq/rabbitmq-server
Events
Database specific
{
    "cpe": "cpe:2.3:a:broadcom:rabbitmq_server:*:*:*:*:*:*:*:*",
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "3.13.0"
        },
        {
            "fixed": "4.2.6"
        }
    ]
}

Affected versions

v3.*
v3.13.0
v3.13.0-rc.6
v4.*
v4.1.0-alpha
v4.1.0-beta.1
v4.1.0-beta.2
v4.1.0-beta.3
v4.1.0-beta.4
v4.2.0
v4.2.0-beta.1
v4.2.0-beta.2
v4.2.0-beta.3
v4.2.0-beta.4
v4.2.0-rc.1
v4.2.1
v4.2.2
v4.2.3
v4.2.4
v4.2.5

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-57219.json"