CVE-2026-44838 rabbitmq CVE debrief

Who should care

Organizations running RabbitMQ 4.2.0-4.2.3 with MQTT plugin enabled and topic-level authorization configured using client_id-based patterns. DevOps teams managing message broker infrastructure, security teams monitoring messaging system access controls, and application teams building IoT or event-driven architectures on RabbitMQ MQTT.

Technical summary

The RabbitMQ MQTT plugin supports topic-level authorization using configurable regex patterns with variable substitution. Administrators can define patterns such as ^{client_id}-sensors$ to restrict users to topics containing their own client identifier. The vulnerability arises because the client_id value, provided by the connecting user in the MQTT CONNECT packet, is inserted directly into the regex pattern without escaping regex special characters (e.g., ., *, +, ?, ^, $, [, ], (, ), {, }, |, ). This allows an authenticated attacker to inject regex operators into their client_id, causing the authorization pattern to match unintended topics and bypass access controls. The attack requires valid MQTT credentials but no additional privileges. Successful exploitation grants unauthorized publish/subscribe access to topics that should be restricted.

Defensive priority

medium

Recommended defensive actions

• Upgrade RabbitMQ to version 4.2.4 or 4.3.0 or later to remediate this vulnerability
• Review MQTT plugin authorization configurations for patterns using client_id variable substitution
• Audit topic access logs for unauthorized access attempts using crafted client_id values
• Consider implementing additional authorization layers independent of regex-based pattern matching until patching is complete

Evidence notes

Vulnerability confirmed through official GitHub Security Advisory GHSA-x866-xp2g-cx8v. Affected versions explicitly stated as 4.2.0 to before 4.2.4. Fix versions confirmed as 4.2.4 and 4.3.0. CVSS 4.0 vector provided in NVD source data.

Official resources