🟠 High  |  Source: The Hacker News


Two access control vulnerabilities in the RabbitMQ message broker have been disclosed that could allow attackers to steal OAuth client secrets and access queue metadata belonging to other tenants. The flaws, discovered by Miggo’s security team, expose organisations using RabbitMQ for enterprise messaging to potential infrastructure takeover and cross-tenant data leakage. This is particularly concerning in multi-tenant deployments where strict isolation between customers or business units is expected.

Security Architect’s Take: Audit all RabbitMQ deployments for the affected versions and apply vendor patches immediately, prioritising any instances using OAuth authentication or multi-tenant queue configurations. In the interim, restrict management API access via network controls and review vhost-level permissions to limit blast radius if exploitation occurs.

Original advisory: RabbitMQ Flaws Could Leak OAuth Secrets and Expose Cross-Tenant Queue Metadata