CVE-2026-9133 Overview
CVE-2026-9133 is an arbitrary file read vulnerability in the amazon-mq/rabbitmq-aws library before version 0.2.1. The Amazon Resource Name (ARN) resolver contains active debug code that recognizes a non-production arn:aws-debug:file scheme. The PUT /api/aws/arn/validate endpoint accepts this debug ARN, which lets a remote authenticated user request reads of any file accessible to the RabbitMQ process. The flaw is classified under [CWE-489: Active Debug Code]. Successful exploitation exposes filesystem contents on the RabbitMQ broker host, including configuration files, secrets, and TLS private keys if present.
Critical Impact
Authenticated attackers can read arbitrary files accessible to the RabbitMQ process, including credentials, configuration, and TLS private keys, by submitting an arn:aws-debug:file payload to the ARN validation endpoint.
Affected Products
- amazon-mq/rabbitmq-aws versions prior to 0.2.1
- RabbitMQ deployments embedding the vulnerable rabbitmq-aws plugin
- Amazon MQ for RabbitMQ workloads using the affected library
Discovery Timeline
- 2026-05-20 - CVE-2026-9133 published to the National Vulnerability Database (NVD)
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-9133
Vulnerability Analysis
The rabbitmq-aws library provides ARN parsing and validation for RabbitMQ integrations with Amazon Web Services. The ARN resolver supports multiple URI schemes through a partition prefix such as arn:aws: or arn:aws-cn:. The vulnerable releases also accept arn:aws-debug:file, a developer-oriented scheme that resolves the trailing identifier as a local filesystem path. When the PUT /api/aws/arn/validate endpoint dispatches such an ARN, the resolver opens the referenced file and returns its contents to the caller as part of validation output.
Any user holding RabbitMQ management API credentials with permission to call the validation endpoint can submit crafted ARNs. The process reads files using the privileges of the RabbitMQ broker, typically a dedicated service account with access to /etc/rabbitmq/, mnesia directories, certificate stores, and any data the broker can reach.
Root Cause
The root cause is residual debug functionality shipped in production code. The aws-debug partition handler was not gated behind a build flag or runtime configuration. Because the validation endpoint trusts the resolver to return only metadata, no secondary path sanitization or scheme allow-list rejects the debug URI before file I/O occurs.
Attack Vector
Exploitation requires network reachability to the RabbitMQ management API and a valid authenticated session with permission to invoke ARN validation. The attacker sends a PUT request to /api/aws/arn/validate containing an ARN of the form arn:aws-debug:file:::<absolute-path>. The server returns the contents of the specified file in the response body. No user interaction is required, and the operation does not modify broker state, which reduces the likelihood of detection through standard error monitoring.
No public exploit code or proof-of-concept has been published at the time of writing. See the GitHub Security Advisory GHSA-8554 for vendor-confirmed technical details.
Detection Methods for CVE-2026-9133
Indicators of Compromise
- HTTP requests to PUT /api/aws/arn/validate containing the literal substring arn:aws-debug:file in the request body
- Management API access log entries showing ARN validation calls returning unusually large response bodies
- RabbitMQ process file-open events targeting /etc/passwd, /etc/rabbitmq/, certificate directories, or ~/.aws/credentials outside normal startup
- Authenticated management users issuing repeated validation requests with varied path payloads
Detection Strategies
- Inspect reverse proxy and load balancer logs in front of the RabbitMQ management plugin for request bodies referencing the aws-debug partition
- Correlate management API audit logs with broker process file-access telemetry to identify reads of sensitive files driven by HTTP requests
- Alert on any arn: value passed to the validation endpoint that does not begin with an approved partition prefix such as arn:aws: or arn:aws-cn:
Monitoring Recommendations
- Enable detailed access logging on the RabbitMQ management HTTP listener and forward logs to a central analytics platform
- Monitor outbound responses from the validation endpoint for payload sizes inconsistent with normal ARN metadata
- Track the inventory of rabbitmq-aws plugin versions across brokers and flag any instance below 0.2.1
How to Mitigate CVE-2026-9133
Immediate Actions Required
- Upgrade rabbitmq-aws to version 0.2.1 or later on every RabbitMQ node that loads the plugin
- Rotate any TLS private keys, AWS credentials, and broker configuration secrets that the RabbitMQ process could read, since prior reads cannot be ruled out
- Restrict access to the RabbitMQ management API to trusted administrative networks using network controls or a reverse proxy allow-list
- Review management user permissions and remove the ability to call ARN validation for accounts that do not require it
Patch Information
The fix is delivered in rabbitmq-aws0.2.1, which removes the arn:aws-debug:file scheme from the resolver. Release notes and source changes are available in the GitHub RabbitMQ-AWS Release 0.2.1. Amazon MQ customers should review the AWS Security Bulletin 2026-034 for managed-service guidance.
Workarounds
- Block requests containing aws-debug in the body of /api/aws/arn/validate at a web application firewall or reverse proxy until patching is complete
- Disable the RabbitMQ management plugin on production brokers that do not require remote administration
- Run the RabbitMQ service under a dedicated low-privilege account with filesystem access limited to required directories
# Example WAF rule fragment to block the debug ARN scheme
# (apply to PUT requests targeting /api/aws/arn/validate)
SecRule REQUEST_URI "@streq /api/aws/arn/validate" \
"id:9026133,phase:2,deny,status:400,log,\
chain,msg:'Block rabbitmq-aws debug ARN (CVE-2026-9133)'"
SecRule REQUEST_BODY "@contains arn:aws-debug:" "t:lowercase"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
