VYPR
← All advisories
High severity7.7NVD Advisory· Published May 20, 2026

CVE-2026-9133

CVE-2026-9133

Description

Active debug code exists in the ARN resolver of amazon-mq rabbitmq-aws before version 0.2.1. A debug ARN scheme (arn:aws-debug:file) accepted by the PUT /api/aws/arn/validate validation endpoint might allow remote authenticated users to perform arbitrary file reads on any file accessible to the RabbitMQ process.

To remediate this issue, customers should upgrade to version 0.2.1 of rabbitmq-aws. If RabbitMQ is configured to use TLS for connections, we also recommend rotating any associated private certificate keys.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Active debug code in rabbitmq-aws before 0.2.1 allows authenticated users to read arbitrary files on the RabbitMQ server via a debug ARN scheme.

Vulnerability

An active debug code path exists in the ARN resolver of the rabbitmq-aws plugin, versions >=0.1.0 and <=0.2.0 [2][3]. The plugin exposes a PUT /api/aws/arn/validate validation endpoint that accepts a debug ARN scheme (arn:aws-debug:file). This debug scheme was inadvertently shipped in production builds with no mechanism to disable it [2][3]. The endpoint extracts a file path from the debug ARN and reads that file from disk within the RabbitMQ process [3].

Exploitation

An attacker must be an authenticated RabbitMQ user with management API access [3]. The attacker sends a crafted PUT request to the validation endpoint with a debug ARN pointing to a target file (e.g., arn:aws-debug:file:///etc/rabbitmq/conf). The plugin's code then reads the file and returns its contents in the response [2][3]. No additional privileges or user interaction beyond authentication is required [2].

Impact

Successful exploitation allows the attacker to read any file accessible to the RabbitMQ process [2][3]. This includes configuration files that may contain secrets such as passwords and TLS private keys [3]. The compromise leads to information disclosure of sensitive data on the broker's filesystem. Since the attacker is already authenticated, the scope is limited to file read, but the leaked secrets could enable further attacks.

Mitigation

This issue has been fixed in rabbitmq-aws version 0.2.1 [1][2][3]. Users should upgrade to 0.2.1 immediately and rotate any secrets stored in files that the RabbitMQ process had read access to, especially private certificate keys [2][3]. If TLS is used, rotating associated private certificate keys is also recommended [2]. As a workaround, the plugin can be disabled with rabbitmq-plugins disable aws, which removes the validation endpoint (returning 405 on PUT requests) but also disables ARN resolution at startup, so filesystem-based certificate configuration must be used instead [2][3].

References
  1. Release 0.2.1 · amazon-mq/rabbitmq-aws
  2. CVE-2026-9133 - Arbitrary file read in rabbitmq-aws plugin
  3. Debug ARN format can be used to read arbitrary files

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

2
61ce3682d787

Merge commit from fork

https://github.com/amazon-mq/rabbitmq-awsMichael DavisMay 20, 2026Fixed in 0.2.1via llm-release-walk
commit
2 files changed · +0 3
  • CODEBASE_SUMMARY.md+0 1 modified
    @@ -57,7 +57,6 @@ The plugin uses RabbitMQ's boot step mechanism to execute before networking star
 - `arn:aws:s3:::bucket/key` - S3 objects
 - `arn:aws:secretsmanager:region:account:secret:name` - Secrets Manager
 - `arn:aws:acm-pca:region:account:certificate-authority/id` - ACM Private CA
-- `arn:aws-debug:file:::path` - Local files (testing only)
 
 #### `aws_arn_env.erl`
 **Purpose:** Application environment manipulation
  • src/aws_arn_util.erl+0 2 modified
    @@ -14,8 +14,6 @@
 -spec resolve_arn(string()) -> {ok, binary()} | {error, term()}.
 resolve_arn(Arn) ->
     case parse_arn(Arn) of
-        {ok, #{partition := "aws-debug", service := "file", resource := Resource}} ->
-            {ok, _File} = file:read_file(Resource);
         {ok, #{service := "s3", resource := Resource}} ->
             aws_s3:fetch_object(Resource);
         {ok, #{service := "secretsmanager", region := Region}} ->
908412d9ea83

Remove local testing ARN format

https://github.com/amazon-mq/rabbitmq-awsMichael DavisMay 8, 2026Fixed in 0.2.1via llm-release-walk
commit
2 files changed · +0 3
  • CODEBASE_SUMMARY.md+0 1 modified
    @@ -57,7 +57,6 @@ The plugin uses RabbitMQ's boot step mechanism to execute before networking star
 - `arn:aws:s3:::bucket/key` - S3 objects
 - `arn:aws:secretsmanager:region:account:secret:name` - Secrets Manager
 - `arn:aws:acm-pca:region:account:certificate-authority/id` - ACM Private CA
-- `arn:aws-debug:file:::path` - Local files (testing only)
 
 #### `aws_arn_env.erl`
 **Purpose:** Application environment manipulation
  • src/aws_arn_util.erl+0 2 modified
    @@ -14,8 +14,6 @@
 -spec resolve_arn(string()) -> {ok, binary()} | {error, term()}.
 resolve_arn(Arn) ->
     case parse_arn(Arn) of
-        {ok, #{partition := "aws-debug", service := "file", resource := Resource}} ->
-            {ok, _File} = file:read_file(Resource);
         {ok, #{service := "s3", resource := Resource}} ->
             aws_s3:fetch_object(Resource);
         {ok, #{service := "secretsmanager", region := Region}} ->

Vulnerability mechanics

Root cause

"Active debug code in the ARN resolver accepts a debug ARN scheme (arn:aws-debug:file) that allows arbitrary file reads."

Attack vector

An authenticated attacker sends a PUT request to the /api/aws/arn/validate endpoint with a crafted ARN using the debug scheme arn:aws-debug:file followed by a file path. The debug ARN resolver reads the specified file from the filesystem instead of validating a real AWS ARN. Since the endpoint is accessible over the network and requires only authentication (not administrative privileges), any authenticated RabbitMQ user can exploit this to read arbitrary files accessible to the RabbitMQ process [CWE-489].

Affected code

The ARN resolver in the amazon-mq/rabbitmq-aws plugin contains active debug code that handles a non-standard arn:aws-debug:file scheme. This code is reachable via the PUT /api/aws/arn/validate endpoint. The specific files changed are in commits 61ce3682d78700b7f364a44abadc52757b9caa7a and 908412d9ea83919027108f989c42eb3e5f33f350 [patch_id=879533, patch_id=879534].

What the fix does

The patches [patch_id=879533, patch_id=879534] remove or disable the debug ARN scheme handler that accepted arn:aws-debug:file URIs. By eliminating the active debug code, the ARN resolver no longer interprets file paths as valid ARNs, preventing the arbitrary file read. The fix ensures that only legitimate AWS ARN schemes are processed by the validation endpoint.

Preconditions

  • authAttacker must be an authenticated RabbitMQ user
  • networkAttacker must have network access to the RabbitMQ management API endpoint
  • inputAttacker must craft a PUT request to /api/aws/arn/validate with an arn:aws-debug:file URI pointing to a target file

Generated on May 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.