{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-57219","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2026-06-24T02:21:33.810Z","datePublished":"2026-07-10T20:22:26.516Z","dateUpdated":"2026-07-10T20:22:26.516Z"},"containers":{"cna":{"title":"RabbitMQ: Unauthenticated disclosure of OAuth client credentials via an HTTP API endpoint with certain less common OAuth 2 configurations","problemTypes":[{"descriptions":[{"cweId":"CWE-200","lang":"en","description":"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor","type":"CWE"}]}],"metrics":[{"cvssV4_0":{"attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"NONE","userInteraction":"ACTIVE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"HIGH","subIntegrityImpact":"HIGH","subAvailabilityImpact":"NONE","baseScore":8.7,"baseSeverity":"HIGH","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N","version":"4.0"}}],"references":[{"name":"https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-pj24-8j6m-vq9q","tags":["x_refsource_CONFIRM"],"url":"https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-pj24-8j6m-vq9q"},{"name":"https://github.com/rabbitmq/rabbitmq-server/pull/16083","tags":["x_refsource_MISC"],"url":"https://github.com/rabbitmq/rabbitmq-server/pull/16083"},{"name":"https://github.com/rabbitmq/rabbitmq-server/pull/16086","tags":["x_refsource_MISC"],"url":"https://github.com/rabbitmq/rabbitmq-server/pull/16086"},{"name":"https://github.com/rabbitmq/rabbitmq-server/commit/98b1daf740237c85941e8addcbea6e74f4a2743c","tags":["x_refsource_MISC"],"url":"https://github.com/rabbitmq/rabbitmq-server/commit/98b1daf740237c85941e8addcbea6e74f4a2743c"},{"name":"https://github.com/rabbitmq/rabbitmq-server/commit/aa387c4451e7b674df3e3ba89df86a99d697cc7f","tags":["x_refsource_MISC"],"url":"https://github.com/rabbitmq/rabbitmq-server/commit/aa387c4451e7b674df3e3ba89df86a99d697cc7f"},{"name":"https://github.com/rabbitmq/rabbitmq-server/releases/tag/v4.2.6","tags":["x_refsource_MISC"],"url":"https://github.com/rabbitmq/rabbitmq-server/releases/tag/v4.2.6"}],"affected":[{"vendor":"rabbitmq","product":"rabbitmq-server","versions":[{"version":">= 4.2.0, < 4.2.6","status":"affected"},{"version":">= 4.1.0, < 4.1.11","status":"affected"},{"version":">= 4.0.0, < 4.0.21","status":"affected"},{"version":">= 3.13.0, < 3.13.15","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2026-07-10T20:22:26.516Z"},"descriptions":[{"lang":"en","value":"RabbitMQ is a messaging and streaming broker. Prior to 3.13.15, 4.0.20, 4.1.11, and 4.2.6, the obsolete GET /api/auth endpoint can disclose the OAuth 2 client secret on RabbitMQ installations configured with management.oauth_client_secret, exposing credentials to unauthenticated callers when the management plugin and that OAuth configuration are enabled. This issue is fixed in versions 3.13.15, 4.0.20, 4.1.11, and 4.2.6."}],"source":{"advisory":"GHSA-pj24-8j6m-vq9q","discovery":"UNKNOWN"}}}}