CVE-2026-44839 rabbitmq CVE debrief

Who should care

Organizations running RabbitMQ messaging infrastructure, particularly those with administrative interfaces exposed to users with elevated privileges. Security teams responsible for message broker infrastructure and developers building applications on RabbitMQ should prioritize patching. Given the high privilege and user interaction requirements, risk is elevated for multi-tenant or shared administrative environments.

Technical summary

RabbitMQ versions from 3.7.0 through 4.1.1 and 4.0.12 contain an improper neutralization vulnerability (CWE-80) that could allow script-related HTML tag injection. The CVSS 4.0 score of 5.6 reflects network accessibility with high attack complexity, requiring high privileges and user interaction. Successful exploitation results in high confidentiality impact. The vulnerability has been patched in versions 4.1.2 and 4.0.13.

Defensive priority

medium

Recommended defensive actions

• Upgrade RabbitMQ to version 4.1.2 or 4.0.13 to remediate this vulnerability
• Review RabbitMQ deployment for versions between 3.7.0 and 4.1.1 or 4.0.12
• Monitor vendor security advisory for additional technical details as they become available
• Assess administrative access controls given high privilege requirements for exploitation

Evidence notes

CVE published 2026-05-27. Vendor advisory and patch commit confirmed via GitHub security advisories. CVSS 4.0 vector provided in NVD source. Fix versions explicitly stated in CVE description.

Official resources