PatchSiren cyber security CVE debrief

CVE-2026-9133 AWS CVE debrief

CVE-2026-9133 describes a high-severity flaw in the rabbitmq-aws component used with Amazon MQ. According to the CVE and NVD record, a debug ARN scheme was left active in the ARN resolver before version 0.2.1. If an authenticated user can reach the PUT /api/aws/arn/validate endpoint, the accepted arn:aws-debug:file scheme may allow arbitrary file reads from paths accessible to the RabbitMQ process. The published remediation is to upgrade to rabbitmq-aws 0.2.1; if TLS is in use, private certificate keys should also be rotated.

Vendor: AWS
Product: RabbitMQ AWS
CVSS: HIGH 8.3
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-20
Original CVE updated: 2026-05-21
Advisory published: 2026-05-20
Advisory updated: 2026-05-21

Who should care

Operators and security teams running rabbitmq-aws, Amazon MQ deployments that include this component, and anyone exposing the ARN validation API to authenticated users. Infrastructure teams should also review TLS certificate handling if that feature is enabled.

Technical summary

The issue is an active debug-code exposure in the ARN resolver. The vulnerable behavior is tied to the PUT /api/aws/arn/validate validation endpoint, which accepts a debug ARN scheme (arn:aws-debug:file). In affected versions before 0.2.1, that behavior may let remote authenticated users read arbitrary files that the RabbitMQ process can access. The NVD record lists CVSS 4.0 vector AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/SC:H, consistent with network-reachable, low-privilege exploitation and high confidentiality impact.

Defensive priority

High. The issue is remotely reachable, requires only low privileges, and can expose sensitive local files. Treat as urgent for exposed or multi-tenant deployments.

Recommended defensive actions

Upgrade rabbitmq-aws to version 0.2.1 as the primary fix.
Restrict access to the PUT /api/aws/arn/validate endpoint to trusted administrators only, if it must remain available.
Review logs and access controls around authenticated API use for any unusual requests to ARN validation endpoints.
If TLS is configured, rotate any associated private certificate keys as recommended in the advisory.
Verify deployed versions and dependency pins to ensure no hosts remain on rabbitmq-aws versions earlier than 0.2.1.

Evidence notes

The CVE description states that active debug code exists in the ARN resolver of amazon-mq rabbitmq-aws before 0.2.1 and that the arn:aws-debug:file scheme accepted by PUT /api/aws/arn/validate may allow remote authenticated users to perform arbitrary file reads. The NVD record also provides the severity score and lists references to the AWS security bulletin, the 0.2.1 release, and the GitHub security advisory. Dates used here come from the supplied CVE/NVD timestamps: 2026-05-20.

Official resources

CVE-2026-9133 CVE record
CVE.org
CVE-2026-9133 NVD detail
NVD
Source item URL
nvd_modified
Source reference
ff89ba41-3aa1-4d27-914a-91399e9639e5
Source reference
ff89ba41-3aa1-4d27-914a-91399e9639e5
Source reference
ff89ba41-3aa1-4d27-914a-91399e9639e5

Publicly disclosed and published in the CVE/NVD record on 2026-05-20.