Executive Summary

CVE-2026-9133 is a vulnerability in the rabbitmq-aws plugin used with RabbitMQ to resolve AWS ARNs. It arises from active debug code that was mistakenly included in production versions before 0.2.1. Specifically, a debug ARN scheme (arn:aws-debug:file) accepted by the PUT /api/aws/arn/validate endpoint allows remote authenticated users to perform arbitrary file reads on any file accessible to the RabbitMQ process.

This means that an attacker with authenticated access to the management API can exploit this debug feature to read sensitive files on the server, such as passwords or TLS private keys.

The vulnerability affects versions 0.1.0 through 0.2.0 of the plugin and has been fixed in version 0.2.1.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow remote authenticated users to read arbitrary files on the server where RabbitMQ is running, potentially exposing sensitive information such as passwords, TLS private keys, and other confidential data accessible to the RabbitMQ process.

Such unauthorized file access can lead to further compromise of the system, including unauthorized access to encrypted communications or credentials.

To mitigate the impact, users should upgrade to version 0.2.1 of the rabbitmq-aws plugin and rotate any secrets that might have been exposed.

As a temporary workaround, disabling the plugin removes the vulnerable endpoint but also disables ARN resolution, which may affect system functionality.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if your RabbitMQ instance is running the vulnerable rabbitmq-aws plugin versions 0.1.0 through 0.2.0 and if the PUT /api/aws/arn/validate endpoint is accessible.

You can verify the plugin version and status using RabbitMQ management commands.

• Check the installed version of the rabbitmq-aws plugin to see if it is below 0.2.1.
• Use the RabbitMQ CLI to list enabled plugins: rabbitmq-plugins list
• Test the vulnerable endpoint by sending an authenticated PUT request to /api/aws/arn/validate with a debug ARN scheme (arn:aws-debug:file) to see if arbitrary file reads are possible (only in a controlled and authorized environment).

Example command to check enabled plugins:

• rabbitmq-plugins list

Example curl command to test the vulnerable endpoint (replace placeholders accordingly and ensure you have proper authorization):

• curl -X PUT -u <username>:<password> -H "Content-Type: application/json" -d '{"arn":"arn:aws-debug:file:/etc/passwd"}' https://<rabbitmq-host>/api/aws/arn/validate

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade the rabbitmq-aws plugin to version 0.2.1 or later, where this vulnerability has been fixed.

If upgrading immediately is not possible, you can temporarily disable the vulnerable plugin to remove the affected endpoint.

• Upgrade rabbitmq-aws plugin to version 0.2.1.
• Rotate any secrets or private certificate keys that might have been exposed.
• Temporarily disable the plugin using the command: rabbitmq-plugins disable aws

Note that disabling the plugin will remove the vulnerable endpoint but also disable ARN resolution at startup, requiring fallback to filesystem-based certificate configuration.

If RabbitMQ is configured to use TLS, it is recommended to rotate any associated private certificate keys after remediation.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows remote authenticated users to perform arbitrary file reads on any file accessible to the RabbitMQ process, potentially exposing sensitive data such as passwords or TLS private keys.

Exposure of sensitive data due to this vulnerability could lead to non-compliance with data protection standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information.

To mitigate this risk and maintain compliance, affected users should upgrade to version 0.2.1 of the rabbitmq-aws plugin and rotate any exposed secrets or private keys.

Useful 0 Not Useful 0