CVE-2026-57216
Received Received - Intake

Authentication Bypass in RabbitMQ via PROXY Protocol

Vulnerability report for CVE-2026-57216, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

RabbitMQ is a messaging and streaming broker. Prior to 3.13.15, 4.0.20, 4.1.11, and 4.2.6, AMQP 0-9-1, AMQP 1.0, and Stream Protocol authentication can allow a loopback-restricted user such as guest to connect remotely when traffic is accepted through a trusted PROXY-protocol path and the backend listener is loopback-bound because the loopback check uses the listener-side socket address instead of the real client source. This issue is fixed in versions 3.13.15, 4.0.20, 4.1.11, and 4.2.6.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-11
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 5 associated CPEs
Vendor Product Version / Range
rabbitmq rabbitmq to 3.13.15 (exc)
rabbitmq rabbitmq 3.13.15
rabbitmq rabbitmq 4.0.20
rabbitmq rabbitmq 4.1.11
rabbitmq rabbitmq 4.2.6

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects RabbitMQ messaging and streaming broker versions prior to 3.13.15, 4.0.20, 4.1.11, and 4.2.6. It involves the authentication process for AMQP 0-9-1, AMQP 1.0, and Stream Protocol. Specifically, a loopback-restricted user such as 'guest' can connect remotely if the traffic is accepted through a trusted PROXY-protocol path and the backend listener is bound to the loopback interface. The issue arises because the loopback check uses the listener-side socket address instead of the actual client source address, allowing unauthorized remote connections.

Impact Analysis

This vulnerability can allow an unauthorized remote user, who should be restricted to loopback (local) access only, to connect remotely to the RabbitMQ broker. This could lead to unauthorized access to messaging services, potentially exposing sensitive data or allowing attackers to interact with the messaging system without proper permissions.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade RabbitMQ to one of the fixed versions: 3.13.15, 4.0.20, 4.1.11, or 4.2.6.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57216. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart