CVE-2023-47090: Authentication Bypass Vulnerability is a popular cloud-native messaging system that is used by a wide variety of companies, including PayPal, Alibaba Group, and Capital One. However, a recent vulnerability has been discovered in that could allow attackers to bypass authentication and gain access to the system.


The vulnerability, CVE-2023-47090, affects servers before version 2.9.23 and 2.10.x before version 2.10.2. This bug is caused by the way that handles authorization blocks. In older versions of, all authentication and authorization rules were defined in an “authorization” block. However, in 2.2.0, all users were moved to live inside accounts.

If a server is configured with an “authorization” block and only the system account (“$SYS”) is added to the “accounts” block, then will create an implicit user in the global account (“$G”) and set it as the no_auth_user account. This means that unauthenticated users will be able to connect to the server.

This vulnerability could allow an attacker to gain access to a server and send or receive messages without authorization. This could allow the attacker to disrupt the operation of the server or steal sensitive data.

The following versions of are affected by the CVE-2023-47090 vulnerability:

  • 2.2.0 up to and including 2.9.22
  • 2.10.1

There are two ways to mitigate this vulnerability:

  1. Upgrade to version 2.10.2 or later.
  2. If you are using an “authorization” block, define a second non-system account in the “accounts” block, even if you do not plan to use it.
    accounts {
    SYS: {
    users: [
    { user: sysuser, password: makemeasandwich }
    DUMMY: {} # for security, before 2.10.2
    system_account: SYS

The following solutions can be used to address this vulnerability:

  • Upgrade to version 2.10.2 or later.
  • Define a dummy account in the “accounts” block if you are using an “authorization” block.
  • Complete the migration of authorization entries to be inside a named account in the “accounts” block.