CVE-2026-9133

Published: May 20, 2026

Modified: May 21, 2026

PUBLISHED

CVSS v3.1

7.7

HIGH

Description

Active debug code exists in the ARN resolver of amazon-mq rabbitmq-aws before version 0.2.1. A debug ARN scheme (arn:aws-debug:file) accepted by the PUT /api/aws/arn/validate validation endpoint might allow remote authenticated users to perform arbitrary file reads on any file accessible to the RabbitMQ process. To remediate this issue, customers should upgrade to version 0.2.1 of rabbitmq-aws. If RabbitMQ is configured to use TLS for connections, we also recommend rotating any associated private certificate keys.

Vendor	Product	Versions
AWS	RabbitMQ AWS	affected `0.1.0 - <= 0.2.0`

Weaknesses (CWE)

CWE-489

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

References

https://github.com/amazon-mq/rabbitmq-aws/releases/tag/0.2.1

patch

https://aws.amazon.com/security/security-bulletins/2026-034-aws/

vendor-advisory

https://github.com/amazon-mq/rabbitmq-aws/security/advisories/GHSA-8554-wg4r-7hxm

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-9133

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References