🟠 High  |  Source: Microsoft Security Response Center


A vulnerability in RabbitMQ (CVE-2026-57219) allows unauthenticated attackers to retrieve OAuth 2.0 client credentials via an exposed HTTP API endpoint, but only under certain non-default OAuth 2 configurations. If exploited, an attacker could obtain client credentials and potentially impersonate the RabbitMQ service or gain unauthorised access to connected systems. This is particularly relevant to Azure environments where RabbitMQ is deployed with OAuth 2 integrations.

Security Architect’s Take: Audit any RabbitMQ deployments — including those on Azure — to determine whether non-default OAuth 2 configurations are in use, and if so, restrict access to the HTTP API endpoint at the network level immediately whilst awaiting a patch. Review OAuth client credential scopes and rotate any potentially exposed credentials as a precaution.

Original advisory: CVE-2026-57219 RabbitMQ: Unauthenticated disclosure of OAuth client credentials via an HTTP API endpoint with certain less common OAuth 2 configurations