Amazon MQ rabbitmq-aws <0.2.1: Debug ARN allows remote file read
CVE-2026-9133 Published on May 20, 2026
Arbitrary file read in rabbitmq-aws plugin
Active debug code exists in the ARN resolver of amazon-mq rabbitmq-aws before version 0.2.1. A debug ARN scheme (arn:aws-debug:file) accepted by the PUT /api/aws/arn/validate validation endpoint might allow remote authenticated users to perform arbitrary file reads on any file accessible to the RabbitMQ process.
To remediate this issue, customers should upgrade to version 0.2.1 of rabbitmq-aws. If RabbitMQ is configured to use TLS for connections, we also recommend rotating any associated private certificate keys.
Vulnerability Analysis
CVE-2026-9133 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Weakness Type
Active Debug Code
The application is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information. A common development practice is to add "back door" code specifically designed for debugging or testing purposes that is not intended to be shipped or deployed with the application. These back door entry points create security risks because they are not considered during design or testing and fall outside of the expected operating conditions of the application.
Products Associated with CVE-2026-9133
stack.watch emails you whenever new vulnerabilities are published in Rabbitmq Aws or Amazon Aws. Just hit a watch button to start following.
Affected Versions
RabbitMQ AWS:- Version 0.1.0, <= 0.2.0 is affected.