CVE-2026-44838: RabbitMQ MQTT Auth Bypass Vulnerability

CVE-2026-44838 Overview

CVE-2026-44838 is an authorization bypass vulnerability in the RabbitMQ MQTT plugin. The flaw affects RabbitMQ versions 4.2.0 through 4.2.3. RabbitMQ's MQTT plugin supports topic-level authorization using regular expressions with variable substitution, such as ^{client_id}-sensors$. The plugin inserts the user-supplied client_id from the MQTT CONNECT packet into the regex pattern without escaping special regex characters. An authenticated MQTT user can inject regex operators into the client_id field to broaden the matched pattern and access topics outside their authorized scope. The vulnerability is classified under [CWE-863]: Incorrect Authorization. Maintainers fixed the issue in RabbitMQ 4.2.4 and 4.3.0.

Critical Impact

An authenticated MQTT user can bypass topic-level authorization by injecting regex metacharacters into the client_id field, gaining unauthorized read or write access to MQTT topics belonging to other users.

Affected Products

• RabbitMQ 4.2.0 through 4.2.3 (MQTT plugin enabled)
• RabbitMQ deployments using regex-based topic authorization with {client_id} substitution
• MQTT broker configurations relying on per-client topic isolation in RabbitMQ

Discovery Timeline

• 2026-05-27 - CVE-2026-44838 published to NVD
• 2026-05-27 - Last updated in NVD database

Technical Details for CVE-2026-44838

Vulnerability Analysis

The RabbitMQ MQTT plugin allows administrators to define topic authorization rules that include the placeholder {client_id}. When a client connects, the plugin substitutes the client-supplied identifier into the configured regex pattern before evaluating whether the user can publish or subscribe to a topic. The substitution occurs as a raw string replacement. Special regex metacharacters in the client_id are not escaped before insertion. This converts an attacker-controlled value into executable regex syntax inside the authorization decision path.

For a configured pattern such as ^{client_id}-sensors$, a benign client connecting with client_id=alice produces the expected regex ^alice-sensors$. A malicious client supplying a value containing regex operators alters the structure of the resulting pattern, allowing the matcher to accept topic names that the administrator intended to block.

Root Cause

The root cause is missing input sanitization at the boundary between untrusted user input and an authorization control expressed as a regular expression. The MQTT CONNECT packet's client_id field is interpolated directly into a regex string rather than being passed as a literal substring. Because the regex engine has no way to distinguish administrator-defined structure from user-injected metacharacters, the access control decision is influenced by the attacker.

Attack Vector

Exploitation requires valid MQTT credentials. The attacker connects to the broker over the network and supplies a crafted client_id value containing regex metacharacters such as .*, alternation |, or character classes. The forged identifier widens the matched topic space evaluated by the authorization engine. The attacker can then subscribe to or publish on topics outside the boundary the administrator defined. See the GitHub Security Advisory GHSA-x866-xp2g-cx8v for additional technical details.

Detection Methods for CVE-2026-44838

Indicators of Compromise

• MQTT CONNECT packets containing client_id values with regex metacharacters such as ., *, +, |, (, ), [, ], ^, or $.
• Authorization decisions in RabbitMQ logs that grant access to topics inconsistent with the user's expected scope.
• Subscription or publish activity on sensitive topics from users that historically only interacted with their own client-scoped topic tree.

Detection Strategies

• Audit RabbitMQ MQTT connection logs for client_id values that contain non-alphanumeric characters outside of an organization-approved naming scheme.
• Compare the topics each authenticated user accesses against the expected pattern derived from their account identity.
• Review the configured topic authorization regex patterns and flag any rule that uses {client_id} substitution without compensating controls.

Monitoring Recommendations

• Enable verbose authorization logging on the MQTT plugin and forward events to a centralized log platform for correlation.
• Alert on MQTT CONNECT events where the client_id length or character set deviates from baseline.
• Track publish and subscribe operations per user and alert on access to topics outside their established pattern.

How to Mitigate CVE-2026-44838

Immediate Actions Required

• Upgrade RabbitMQ to version 4.2.4 or 4.3.0, where the client_id value is properly escaped before regex substitution.
• Inventory all MQTT topic authorization rules that use {client_id} substitution and review historical access logs for anomalous topic access.
• Rotate MQTT credentials for any account observed using suspicious client_id values during the exposure window.

Patch Information

The RabbitMQ maintainers fixed CVE-2026-44838 in RabbitMQ 4.2.4 and 4.3.0. The patch escapes regex metacharacters in the client_id value before it is substituted into topic authorization patterns. Patch details and source-level fixes are documented in the GitHub Security Advisory GHSA-x866-xp2g-cx8v.

Workarounds

• Restrict MQTT client_id values at the broker or upstream proxy to a strict alphanumeric character set, rejecting any identifier containing regex metacharacters.
• Replace regex-based topic authorization rules that rely on {client_id} substitution with static per-user permissions where feasible.
• Limit MQTT plugin exposure to trusted networks until the upgrade to a patched version is complete.

# Example: enforce alphanumeric client_id at an upstream proxy or auth backend
# Reject MQTT CONNECT packets whose client_id contains regex metacharacters
client_id_regex='^[A-Za-z0-9_-]{1,64}$'
if [[ ! "$MQTT_CLIENT_ID" =~ $client_id_regex ]]; then
  echo "Rejecting connection: client_id contains disallowed characters"
  exit 1
fi