External risk intelligence

RabbitMQ Management Plugin UNC Path Traversal Leads to DNS SMB Requests.

CVE advisorySeverity: CRITICAL (CVSS 10.0)

CVE-2026-57211

The vulnerability exists in the RabbitMQ management plugin, which provides a web-based interface for monitoring and administration. This management UI is frequently deployed as a network-accessible service and, while often restricted to internal segments, is commonly reachable via web interfaces in many deployment patterns.

Path Traversal

Broadcom Rabbitmq Server

4.1.0 to before 4.2.6

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a critical vulnerability in RabbitMQ, a messaging and streaming broker, that could allow an attacker to trigger outbound network requests to malicious servers. The issue arises from how the management plugin handles certain file paths, potentially leading to sensitive information exposure or system compromise through DNS or SMB requests.

  • Remote attackers can trigger network requests.
  • Matters if RabbitMQ management plugin is exposed.
  • Confirm relevance and confirm exposure.

Attack Path

How an attacker could exploit the issue

An attacker could reach this vulnerability by sending specially crafted web requests to an exposed RabbitMQ management interface. If multiple management extension plugins are enabled, the handler for static files might incorrectly process URL-encoded backslashes. This could allow an attacker to trick the server into making outbound DNS and SMB requests to a location they control.

  • Unauthenticated network access is required.
  • Specially crafted web requests trigger the flaw.
  • Allows unauthorized DNS and SMB requests.

Live Threat

Current exploitation, exposure, and threat context

When multiple management extension plugins are enabled on Windows, a vulnerability in the RabbitMQ management plugin's static file handler could allow an attacker to trigger outbound DNS and SMB requests to attacker-controlled UNC paths, potentially exposing system data and influencing service behavior.

  • System data and service behavior.
  • Triggered by specially crafted web requests.
  • Information disclosure or denial of service.

Operational Fix

Recommended remediation, mitigation, and detection steps

Teams responsible for RabbitMQ servers and their associated management plugins, including infrastructure and platform teams, should prioritize this critical vulnerability. The first step is to identify all RabbitMQ deployments, assess their network reachability and business criticality, and confirm ownership before planning remediation.

  • Identify and confirm RabbitMQ ownership.
  • Verify management plugin reachability and impact.
  • Plan remediation based on risk assessment.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is RabbitMQ?

RabbitMQ is a messaging and streaming broker used to facilitate communication between different software applications by queuing and routing data. The affected component, the management plugin, provides a web-based interface that administrators use to monitor broker performance, manage queues, and oversee exchange configurations.

What does CWE-36 and CWE-918 mean for CVE-2026-57211?

These codes represent Absolute Path Traversal and Server-Side Request Forgery. In this case, the vulnerability means the software fails to properly sanitize file paths containing encoded backslashes. An attacker can exploit this to force the server to initiate unintended network connections, such as DNS or SMB requests, toward external, attacker-controlled locations.

How can an attacker trigger this vulnerability?

An attacker triggers this by sending a specially crafted web request to the RabbitMQ management interface. The flaw specifically requires that multiple management extension plugins are enabled on a Windows host. Requests that do not contain the specific malformed URL-encoded path sequences or systems where these specific plugins are not active will not trigger the bug.

Is my RabbitMQ instance at risk?

Risk depends on how you host the management plugin. According to Halo Surface Signal, this interface is often network-accessible for monitoring. If your management UI is reachable over the network—even if intended for internal use—it may be exposed to these crafted requests. Assess whether your management console is reachable from segments where untrusted traffic could arrive.

What should I do to secure my environment?

Your first step is to locate all RabbitMQ installations and determine if they have the management plugin enabled on Windows. Confirm the version currently running; if it is older than 4.1.11 or 4.2.6, prioritize updating to a patched release. Evaluate the necessity of external access to the management interface and restrict network visibility as an immediate defensive measure.

References