Description
Active debug code exists in the ARN resolver of amazon-mq rabbitmq-aws before version 0.2.1. A debug ARN scheme (arn:aws-debug:file) accepted by the PUT /api/aws/arn/validate validation endpoint might allow remote authenticated users to perform arbitrary file reads on any file accessible to the RabbitMQ process.



To remediate this issue, customers should upgrade to version 0.2.1 of rabbitmq-aws. If RabbitMQ is configured to use TLS for connections, we also recommend rotating any associated private certificate keys.
Published: 2026-05-20
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A debug ARN scheme (arn:aws-debug:file) was inadvertently left active in the ARN resolver of the rabbitmq-aws plugin before version 0.2.1. This flaw permits an authenticated user to invoke the PUT /api/aws/arn/validate endpoint and obtain the contents of any file that the RabbitMQ process can read. The result is a confidentiality compromise of potentially sensitive system files, configuration data, or credentials. This weakness corresponds to CWE‑489, which concerns unauthorized data disclosure through improper debug or test code leaving production systems vulnerable.

Affected Systems

The vulnerability affects the AWS RabbitMQ (AMQP) plugin provided by Amazon MQ. Any deployment using a version of the rabbitmq-aws component older than 0.2.1 is impacted. The affected product is the Amazon MQ RabbitMQ AWS plugin; updates are available through the Amazon MQ release channels.

Risk and Exploitability

The CVSS score of 8.3 indicates high severity, but no EPSS score is available, so the exact likelihood of exploitation is uncertain. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a remote, authenticated user to access the management API endpoint that accepts the debug ARN scheme; thus, an adversary would need legitimate credentials to the RabbitMQ management interface. Once authenticated, the attacker could read arbitrary files on the host. If TLS is used for management connections, rotating private certificate keys is also recommended to mitigate related credential exposure.

Generated by OpenCVE AI on May 20, 2026 at 21:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the rabbitmq-aws plugin to version 0.2.1 or later, which removes the debug ARN scheme from the ARN resolver.
  • If RabbitMQ is configured to use TLS for management connections, rotate any associated private certificate keys to minimize credential exposure.
  • Restrict access to the RabbitMQ management API by configuring firewall rules or network ACLs to limit connections to trusted hosts only.

Generated by OpenCVE AI on May 20, 2026 at 21:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description Active debug code exists in the ARN resolver of amazon-mq rabbitmq-aws before version 0.2.1. A debug ARN scheme (arn:aws-debug:file) accepted by the PUT /api/aws/arn/validate validation endpoint might allow remote authenticated users to perform arbitrary file reads on any file accessible to the RabbitMQ process. To remediate this issue, customers should upgrade to version 0.2.1 of rabbitmq-aws. If RabbitMQ is configured to use TLS for connections, we also recommend rotating any associated private certificate keys.
Title Arbitrary file read in rabbitmq-aws plugin
First Time appeared Aws
Aws rabbitmq Aws
Weaknesses CWE-489
CPEs cpe:2.3:a:aws:rabbitmq_aws:*:*:*:*:*:*:*:*
Vendors & Products Aws
Aws rabbitmq Aws
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N'}

Subscriptions

Aws Rabbitmq Aws
cve-icon MITRE

Status: PUBLISHED

Assigner: AMZN

Published:

Updated: 2026-05-21T12:50:24.829Z

Reserved: 2026-05-20T18:21:53.557Z

Link: CVE-2026-9133

cve-icon Vulnrichment

Updated: 2026-05-21T12:49:10.454Z

cve-icon NVD

Status : Deferred

Published: 2026-05-20T20:16:45.860

Modified: 2026-05-21T15:24:25.330

Link: CVE-2026-9133

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T08:18:50Z

Weaknesses