Description
RabbitMQ is a messaging and streaming broker. From 3.7.0 to before 4.1.2 and 4.0.13, This vulnerability is fixed in 4.1.2 and 4.0.13.
Published: 2026-05-27
Score: 5.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from the RabbitMQ management UI failing to properly escape user-supplied vhost names. An attacker can inject arbitrary HTML or JavaScript that will be processed and rendered when the UI is accessed. This allows the execution of malicious scripts in the browser context used by administrators or other users, potentially leading to session hijacking, credential theft, or broader compromise of the affected system.

Affected Systems

Any RabbitMQ Server instance running versions 3.7.0 up to and including 4.0.12 or any 4.1.x series prior to 4.1.2. The affected component is the management HTTP interface that renders vhost information.

Risk and Exploitability

With a CVSS score of 5.6 the vulnerability is rated as moderate severity. The EPSS score is not available, and it is not listed in the CISA KEV catalog. The likely attack vector is remote: an attacker who can create or modify vhost names in RabbitMQ can inject malicious payloads that will run in any browser that visits the management UI. Successful exploitation can allow the attacker to execute arbitrary JavaScript with the privileges of the UI user, facilitating further compromise of the broker environment.

Generated by OpenCVE AI on May 27, 2026 at 19:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Patch RabbitMQ to version 4.1.2 or 4.0.13.
  • Remove or rename any vhost names that contain malicious content.
  • Restrict access to the management UI to trusted administrators.

Generated by OpenCVE AI on May 27, 2026 at 19:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Broadcom
Broadcom rabbitmq Server
CPEs cpe:2.3:a:broadcom:rabbitmq_server:*:*:*:*:*:*:*:*
Vendors & Products Broadcom
Broadcom rabbitmq Server
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

Fri, 29 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Rabbitmq
Rabbitmq rabbitmq-server
Vendors & Products Rabbitmq
Rabbitmq rabbitmq-server

Wed, 27 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description RabbitMQ is a messaging and streaming broker. From 3.7.0 to before 4.1.2 and 4.0.13, This vulnerability is fixed in 4.1.2 and 4.0.13.
Title RabbitMQ: Unsanitized vhost names allow for XSS in management UI
Weaknesses CWE-80
References
Metrics cvssV4_0

{'score': 5.6, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Broadcom Rabbitmq Server
Rabbitmq Rabbitmq-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T15:47:11.824Z

Reserved: 2026-05-07T21:21:48.352Z

Link: CVE-2026-44839

cve-icon Vulnrichment

Updated: 2026-05-27T15:46:57.264Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T15:16:29.073

Modified: 2026-06-04T17:40:26.013

Link: CVE-2026-44839

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:50:35Z

Weaknesses
  • CWE-80

    Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)