Vulnerability Details CVE-2026-57215
RabbitMQ is a messaging and streaming broker. Prior to 3.13.15, 4.0.20, 4.1.11, and 4.2.6, RabbitMQ allows foreign bindings to amq.rabbitmq.reply-to destinations because volatile direct-reply-to queues can be accepted at bind and route time but are missing from Khepri-backed deletion checks, leaving persistent route entries after unbind. This issue is fixed in versions 3.13.15, 4.0.20, 4.1.11, and 4.2.6.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 15.6%
CVSS Severity
CVSS v3 Score 8.8
Products affected by CVE-2026-57215
-
cpe:2.3:a:broadcom:rabbitmq_server:3.13.0
-
cpe:2.3:a:broadcom:rabbitmq_server:3.13.1
-
cpe:2.3:a:broadcom:rabbitmq_server:3.13.2
-
cpe:2.3:a:broadcom:rabbitmq_server:3.13.3
-
cpe:2.3:a:broadcom:rabbitmq_server:3.13.4
-
cpe:2.3:a:broadcom:rabbitmq_server:3.13.5
-
cpe:2.3:a:broadcom:rabbitmq_server:3.13.6
-
cpe:2.3:a:broadcom:rabbitmq_server:3.13.7
-
cpe:2.3:a:broadcom:rabbitmq_server:4.0.0
-
cpe:2.3:a:broadcom:rabbitmq_server:4.0.1
-
cpe:2.3:a:broadcom:rabbitmq_server:4.0.13
-
cpe:2.3:a:broadcom:rabbitmq_server:4.0.2
-
cpe:2.3:a:broadcom:rabbitmq_server:4.0.3
-
cpe:2.3:a:broadcom:rabbitmq_server:4.0.4
-
cpe:2.3:a:broadcom:rabbitmq_server:4.0.5
-
cpe:2.3:a:broadcom:rabbitmq_server:4.0.6
-
cpe:2.3:a:broadcom:rabbitmq_server:4.0.7
-
cpe:2.3:a:broadcom:rabbitmq_server:4.0.9
-
cpe:2.3:a:broadcom:rabbitmq_server:4.1.0
-
cpe:2.3:a:broadcom:rabbitmq_server:4.1.1
-
cpe:2.3:a:broadcom:rabbitmq_server:4.1.2
-
cpe:2.3:a:broadcom:rabbitmq_server:4.1.3
-
cpe:2.3:a:broadcom:rabbitmq_server:4.1.4
-
cpe:2.3:a:broadcom:rabbitmq_server:4.1.5
-
cpe:2.3:a:broadcom:rabbitmq_server:4.1.6
-
cpe:2.3:a:broadcom:rabbitmq_server:4.1.7
-
cpe:2.3:a:broadcom:rabbitmq_server:4.1.8
-
cpe:2.3:a:broadcom:rabbitmq_server:4.2.0
-
cpe:2.3:a:broadcom:rabbitmq_server:4.2.1
-
cpe:2.3:a:broadcom:rabbitmq_server:4.2.2
-
cpe:2.3:a:broadcom:rabbitmq_server:4.2.3
-
cpe:2.3:a:broadcom:rabbitmq_server:4.2.4
-
cpe:2.3:a:broadcom:rabbitmq_server:4.2.5