Description
RabbitMQ is a messaging and streaming broker. From 4.2.0 to before 4.2.4, RabbitMQ's MQTT plugin allows for topic-level authorization using regular expressions with variable substitution. Administrators can create patterns such as ^{client_id}-sensors$ to restrict user access to topics that include their client ID. However, the client_id is provided by the user in the MQTT CONNECT packet and is inserted into the regex pattern without escaping special regex characters. This flaw enables an authenticated MQTT user to inject regex operators to bypass authorization. This vulnerability is fixed in 4.2.4 and 4.3.0.
Published: 2026-05-27
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

RabbitMQ versions 4.2.0 through 4.2.3 allow an authenticated MQTT user to craft a CONNECT packet containing a malicious client identifier. The broker substitutes this client_id into a regular‑expression based topic authorization pattern without escaping regex metacharacters, enabling injection of regex operators. This flaw lets the attacker exploit the authorization checks, gaining unauthorized read or write access to MQTT topics that should be protected.

Affected Systems

The vulnerability affects RabbitMQ Server public releases from 4.2.0 up to (but excluding) 4.2.4. It is also present in earlier 4.3.x releases before 4.3.0. All installations that enable the MQTT plugin and use user‑supplied client IDs in topic patterns are susceptible.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate impact. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, reducing the likelihood of widespread exploitation. The attack vector requires an authenticated MQTT user, but once authenticated it can bypass topic permissions across the broker, potentially allowing an insider or compromised client to expose or alter data on protected topics.

Generated by OpenCVE AI on May 27, 2026 at 19:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade RabbitMQ Server to version 4.2.4 or later, or to the latest 4.3.x release that contains the fix.
  • If an upgrade is not immediately feasible, disable or restrict the MQTT plugin for services that do not require it.
  • Implement input validation or escape special characters in client_id values before they are incorporated into regular‑expression patterns, ensuring that the MQTT CONNECT packet does not provide unfiltered input to the authorization logic.

Generated by OpenCVE AI on May 27, 2026 at 19:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Rabbitmq
Rabbitmq rabbitmq-server
Vendors & Products Rabbitmq
Rabbitmq rabbitmq-server

Thu, 28 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description RabbitMQ is a messaging and streaming broker. From 4.2.0 to before 4.2.4, RabbitMQ's MQTT plugin allows for topic-level authorization using regular expressions with variable substitution. Administrators can create patterns such as ^{client_id}-sensors$ to restrict user access to topics that include their client ID. However, the client_id is provided by the user in the MQTT CONNECT packet and is inserted into the regex pattern without escaping special regex characters. This flaw enables an authenticated MQTT user to inject regex operators to bypass authorization. This vulnerability is fixed in 4.2.4 and 4.3.0.
Title RabbitMQ MQTT Topic Permission Authorization Bypass
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:N'}

Subscriptions

Rabbitmq Rabbitmq-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-28T14:31:11.075Z

Reserved: 2026-05-07T21:21:48.352Z

Link: CVE-2026-44838

cve-icon Vulnrichment

Updated: 2026-05-28T14:31:07.196Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T15:16:28.743

Modified: 2026-05-29T15:06:44.207

Link: CVE-2026-44838

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:50:37Z

Weaknesses