RabbitMQ XSS attack via federation and shovel endpoints
Description
Pivotal RabbitMQ, 3.7 versions prior to v3.7.20 and 3.8 version prior to v3.8.1, and RabbitMQ for PCF, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain two endpoints, federation and shovel, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack via the vhost or node name fields that could grant access to virtual hosts and policy management information.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Pivotal RabbitMQ and RabbitMQ for PCF have XSS in federation and shovel endpoints, allowing authenticated admins to access virtual hosts and policy data.
The vulnerability resides in the federation and shovel management endpoints of RabbitMQ, which fail to properly sanitize user-supplied input in the vhost or node name fields. This oversight allows a remote, authenticated user with administrative privileges to inject arbitrary HTML or JavaScript, leading to a stored cross-site scripting (XSS) condition [1][2].
Exploitation requires an attacker to have administrative access to the RabbitMQ management interface. The attacker can craft malicious input in the vhost or node name fields, which is then reflected or stored without sanitization. When other administrators view the affected management pages, the injected script executes in their browser context, enabling the attacker to perform actions on their behalf [1].
Successful XSS can grant the attacker access to virtual hosts and policy management information. While the attacker already has administrative privileges, the XSS could be used to escalate privileges within the management UI or to steal sensitive configuration data from other administrators [1].
Red Hat has rated this issue as Low severity and released updated packages (rabbitmq-server 3.7.23-2) for Red Hat OpenStack Platform 15 [2]. Pivotal has fixed the issue in RabbitMQ 3.7.20 and 3.8.1, and in RabbitMQ for PCF versions 1.16.7 and 1.17.4. Users are advised to upgrade to the patched versions to mitigate this vulnerability [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
rabbit_commonHex | >= 3.7.0, < 3.7.20 | 3.7.20 |
rabbit_commonHex | >= 3.8.0, < 3.8.1 | 3.8.1 |
Affected products
5- Range: 1.16.x < 1.16.7, 1.17.x < 1.17.4
- Range: 3.8
- Pivotal/RabbitMQ for Pivotal Platformv5Range: 1.17
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- access.redhat.com/errata/RHSA-2020:0553ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-9pf7-f47q-mwpqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-11291ghsaADVISORY
- pivotal.io/security/cve-2019-11291ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.