TL;DR
RabbitMQ has patched two critical flaws that allow authentication bypass. One breaks TLS client-certificate checks. The other lets a network attacker forge OAuth2 token validation. Team RabbitMQ found both internally, and no exploitation in the wild has been confirmed.
Why it matters
RabbitMQ moves messages between apps, microservices, and IoT devices. It often sits at the core of a data pipeline. A RabbitMQ authentication bypass lets an attacker slip past identity checks. From there, they can read, inject, or disrupt messages across services.
How the attack works
The first flaw scores 9.2 and hits the OAuth2 plugin. When no CA bundle is available, the broker skips TLS verification for its JWKS fetch without any warning. So a man-in-the-middle attacker can forge that response. The broker then accepts arbitrary JWTs and trusts a fake identity. This mainly affects minimal containers where the OS CA bundle is empty.
The second flaw scores 9.1 and hits the trust-store plugin. It allowlists client certificates by issuer and serial number only. Those fields are not secret. As a result, an attacker who knows them can present a forged self-signed certificate and pass the check. This trust-store bug is a full RabbitMQ authentication bypass. We are not sharing exploit code.
Exploitation status
RabbitMQ reports no attacks in the wild so far. No public proof-of-concept has been confirmed. Still, both scores sit above 9.0, so treat them as urgent. Patch before attackers reverse the fixes.
Affected versions
Both bugs affect earlier RabbitMQ builds across several release lines. Team RabbitMQ, part of Broadcom, reported the issues. For the full write-ups, see the RabbitMQ security advisories.
Patch and mitigation
Both flaws are fixed in 3.13.15, 4.0.20, 4.1.11, 4.2.6, and 4.3.0. Update without delay from the RabbitMQ releases page. Until you patch, set a valid CA bundle for OAuth2. Also avoid relying on the trust-store plugin for client authentication.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.