COOEY // HUBcompliance · community · intelligence

Exposures › CVE-2026-57211

CVE-2026-57211

Severity
medium
Source
NVD · cve
Published
2026-07-10
CVSS
6.5
Reference
https://nvd.nist.gov/vuln/detail/CVE-2026-57211
shame 20/100

RabbitMQ is a messaging and streaming broker. Prior to 4.1.11 and 4.2.6 on Windows, the RabbitMQ management plugin static file handler rabbit_mgmt_wm_static can pass URL-encoded backslashes to erl_prim_loader:read_file_info before path validation when multiple management extensio

Players implicated

Broadcom · vendorMicrosoft · vendorrabbitmq server · productwindows · product

Description

RabbitMQ is a messaging and streaming broker. Prior to 4.1.11 and 4.2.6 on Windows, the RabbitMQ management plugin static file handler rabbit_mgmt_wm_static can pass URL-encoded backslashes to erl_prim_loader:read_file_info before path validation when multiple management extension plugins are enabled, causing outbound DNS and SMB requests to attacker-controlled UNC paths. This issue is fixed in versions 4.1.11 and 4.2.6.

Affected FedRAMP products 8 in the catalog

ProductProviderStatusMatch
Azure Commercial Cloud Microsoft Authorized vendor-exact · 0.90
Azure Government (includes Dynamics 365) Microsoft Authorized vendor-exact · 0.90
Clarity Broadcom Authorized vendor-exact · 0.90
General Support Systems (GSS) Broadcom Authorized vendor-exact · 0.90
Microsoft Office 365 GCC High Microsoft In Process vendor-exact · 0.90
Office 365 Multi-Tenant & Supporting Services Microsoft Authorized vendor-exact · 0.90
Rally Broadcom Authorized vendor-exact · 0.90
Symantec Gov Cloud Security (GCS) Broadcom In Process vendor-exact · 0.90