UBUNTU-CVE-2026-44838
- Source
- https://ubuntu.com/security/CVE-2026-44838
- Import Source
- https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-44838.json
- JSON Data
- https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-44838
- Upstream
- Withdrawn
- 2026-06-04T20:32:00Z
- Published
- 2026-05-27T15:16:00Z
- Modified
- 2026-06-04T22:56:02.268028082Z
- Severity
-
- 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:N CVSS Calculator
- Ubuntu - medium
- Summary
- [none]
- Details
-
RabbitMQ is a messaging and streaming broker. From 4.2.0 to before 4.2.4, RabbitMQ's MQTT plugin allows for topic-level authorization using regular expressions with variable substitution. Administrators can create patterns such as ^{clientid}-sensors$ to restrict user access to topics that include their client ID. However, the clientid is provided by the user in the MQTT CONNECT packet and is inserted into the regex pattern without escaping special regex characters. This flaw enables an authenticated MQTT user to inject regex operators to bypass authorization. This vulnerability is fixed in 4.2.4 and 4.3.0.
- References
Affected packages
Ubuntu:18.04:LTS
rabbitmq-server
Package
- Name
- rabbitmq-server
- Purl
- pkg:deb/ubuntu/rabbitmq-server?arch=source&distro=bionic
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
3.*
3.6.10-1
3.6.10-1ubuntu0.1
3.6.10-1ubuntu0.3
3.6.10-1ubuntu0.4
3.6.10-1ubuntu0.5
Ubuntu:20.04:LTS
rabbitmq-server
Package
- Name
- rabbitmq-server
- Purl
- pkg:deb/ubuntu/rabbitmq-server?arch=source&distro=focal
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
3.*
3.7.8-4ubuntu2
3.7.18-1
3.8.2-0ubuntu1
3.8.2-0ubuntu1.1
3.8.2-0ubuntu1.2
3.8.2-0ubuntu1.3
3.8.2-0ubuntu1.4
3.8.2-0ubuntu1.5
3.8.3-0ubuntu0.1
3.8.3-0ubuntu0.2
3.8.3-0ubuntu0.3
Ubuntu:22.04:LTS
rabbitmq-server
Package
- Name
- rabbitmq-server
- Purl
- pkg:deb/ubuntu/rabbitmq-server?arch=source&distro=jammy
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
3.*
3.8.9-3ubuntu1
3.9.8-1
3.9.8-2
3.9.8-3
3.9.8-5
3.9.8-6
3.9.13-1
3.9.13-1ubuntu0.22.04.1
3.9.13-1ubuntu0.22.04.2
3.9.27-0ubuntu0.1
3.9.27-0ubuntu0.2
Ubuntu:24.04:LTS
rabbitmq-server
Package
- Name
- rabbitmq-server
- Purl
- pkg:deb/ubuntu/rabbitmq-server?arch=source&distro=noble
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Ubuntu:25.10
rabbitmq-server
Package
- Name
- rabbitmq-server
- Purl
- pkg:deb/ubuntu/rabbitmq-server?arch=source&distro=questing
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Ubuntu:26.04:LTS
rabbitmq-server
Package
- Name
- rabbitmq-server
- Purl
- pkg:deb/ubuntu/rabbitmq-server?arch=source&distro=resolute
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
4.*
4.0.5-8ubuntu2
4.0.5-10ubuntu1
4.0.5-10ubuntu2
4.0.5-10ubuntu3
4.0.5-10ubuntu4
4.0.5-10ubuntu5
Ubuntu:Pro:16.04:LTS
rabbitmq-server
Package
- Name
- rabbitmq-server
- Purl
- pkg:deb/ubuntu/rabbitmq-server?arch=source&distro=esm-infra%2Fxenial
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
3.*
3.5.4-1
3.5.4-3
3.5.4-3.1
3.5.7-1
3.5.7-1ubuntu0.16.04.1
3.5.7-1ubuntu0.16.04.2
3.5.7-1ubuntu0.16.04.4
3.5.7-1ubuntu0.16.04.4+esm1
3.5.7-1ubuntu0.16.04.4+esm2