CVE-2026-9133 · Active debug code exists in the ARN resolver of amazon-mq rabbitmq-aws before version 0.2.1.

01 · The Real Story

This is a spare key left behind the admin desk, not a burglar opening your front door

rabbitmq-aws before 0.2.1 shipped active debug code in its ARN resolver. If an attacker can send an authenticated PUT to /api/aws/arn/validate, they can abuse the debug scheme arn:aws-debug:file to read any file the RabbitMQ process can read, including broker config, passwords, and potentially TLS private keys. Affected versions are >=0.1.0 and <=0.2.0.

AWS scored this HIGH at 7.7, but that overstates the enterprise patching urgency. In the real world this is not pre-auth, not RCE, not broad internet spray, and the vulnerable code path only matters where the aws plugin is enabled, the management API is reachable, and the attacker already has valid management credentials; those are heavy compounding frictions that push this into post-initial-access secret exposure, not frontline emergency patching.

"Serious only after you already have broker admin reach and credentials; that friction knocks this down from vendor HIGH to MEDIUM."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Reach the RabbitMQ management API

The attacker first needs network access to the broker web console / management API, which Amazon MQ exposes on 443 and 15671. In practice this means either a publicly accessible broker or a foothold inside the VPC plus security-group reachability. Tooling is trivial: curl, Burp, or any HTTP client is enough once the endpoint is reachable.

Conditions required:

Amazon MQ for RabbitMQ deployment
Broker management API reachable on 443 or 15671
Broker uses the aws plugin path relevant to ARN validation

Where this breaks in practice:

AWS recommends private brokers, and many enterprise RabbitMQ deployments are VPC-only
Security groups often restrict web console access to admin IPs or jump hosts
This is a niche endpoint, not a default mass-scan favorite

Detection/coverage: Network scanners can find RabbitMQ management ports, but they cannot confirm this CVE without authenticated interaction. VPC Flow Logs, WAF/reverse proxy logs, and RabbitMQ access logs are your best coverage for step 1.

STEP 02

Obtain valid management credentials

The vulnerable endpoint is behind authenticated RabbitMQ management access, so the attacker needs a real broker account with enough rights to call the validation API. That usually means credential theft, insider access, or compromise of an automation account already trusted to manage the broker. Tooling remains low-end: browser session reuse, curl -u, or a stolen Basic Auth secret is sufficient.

Conditions required:

Valid RabbitMQ user credentials
Permissions sufficient to use management API features

Where this breaks in practice:

This is authenticated remote, which implies prior compromise or insider position
MFA, SSO fronting, secret rotation, and PAM reduce reachable population further
Many app users can publish/consume messages but do not get management API rights

Detection/coverage: Credentialed vulnerability scanners will miss this if they lack management access. Watch for unusual management logins, Basic Auth use from new sources, and API activity from non-admin automation hosts.

STEP 03

Abuse the debug ARN scheme

With access established, the attacker sends a PUT /api/aws/arn/validate request containing arn:aws-debug:file:/path/to/file. Per AWS and GitHub, production builds accepted this debug-only scheme and used it to read disk content through the RabbitMQ process. A one-liner curl request is enough; there is no exploit chain complexity here.

Conditions required:

Vulnerable rabbitmq-aws version <=0.2.0
aws plugin enabled
Validation endpoint exposed to the authenticated user

Where this breaks in practice:

The vulnerable code path disappears if the aws plugin is disabled
Not every Amazon MQ RabbitMQ broker uses ARN-backed config
Brokers already patched to 0.2.1 or vendor-updated managed images are not affected

Detection/coverage: Most SAST/SBOM tools can flag the package version, but runtime detection is better: alert on requests to /api/aws/arn/validate, especially bodies containing aws-debug or obvious filesystem paths.

STEP 04

Harvest secrets and pivot

The attacker reads files accessible to the RabbitMQ OS process, aiming for broker configs, certs, keys, and local secret material. If file-based TLS private keys or passwords are present, the impact can jump from simple disclosure to credential reuse, service impersonation, or broader message-broker trust abuse. Tools here are just parsers and standard post-exploitation tradecraft; the vulnerability itself stops at file read.

Conditions required:

Sensitive files exist on disk and are readable by the RabbitMQ process
Stolen material is still valid and useful elsewhere

Where this breaks in practice:

Impact depends heavily on what is actually on disk; some shops keep secrets in AWS services, not local files
No direct integrity or availability impact from the flaw itself
Secret rotation and certificate rotation can sharply limit downstream blast radius

Detection/coverage: This step often leaves no distinct signature beyond the earlier API call. Follow-on detections matter more: unexpected cert use, auth failures after rotation, and anomalous broker admin activity.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No current evidence of active exploitation in the sources reviewed. AWS describes the issue and fix, but not live attacks; CISA KEV does not list `CVE-2026-9133`.
KEV status	Not KEV-listed as of this assessment. No CISA due date because it is absent from the catalog.
EPSS	`0.00027` probability, which is very low and consistent with a niche, authenticated-only management-plane flaw rather than an internet-wide exploitation candidate.
Proof-of-concept availability	No public PoC was referenced by AWS, NVD, or the GitHub advisory/release notes reviewed. That does not mean exploit development is hard; the HTTP request format is straightforward once prerequisites are met.
CVSS vector reality check	`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N` captures the confidentiality impact, but `PR:L` is doing a lot of work here. In enterprise terms, that means the attacker already crossed the line into valid broker administration reach.
Affected versions	`rabbitmq-aws >=0.1.0 and <=0.2.0`, per AWS and GitHub.
Fixed version	Patched in `rabbitmq-aws 0.2.1`. For Amazon MQ customers, the practical fix is the vendor-managed update path that incorporates this plugin version; if you run derivative/forked code, you need the same removal of the debug ARN handler.
Exposure population	Reachable population is narrower than generic RabbitMQ: the target must be Amazon MQ for RabbitMQ, using the `aws` plugin path, with management API exposure and valid credentials. AWS documentation also pushes private brokers and shows separate access steps for non-public brokers, which materially cuts internet exposure.
Scanning and detection	Internet-wide port scans can spot RabbitMQ management surfaces, but product-specific confirmation is poor without auth because exploitation requires a valid session and a custom endpoint. Prioritize log detection for `/api/aws/arn/validate` and request bodies containing `aws-debug`.
Disclosure and reporter	Disclosed `2026-05-20` by AWS (`2026-034-AWS`). Public GitHub advisory publisher shown as `the-mikedavis` / Michael Davis.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to MEDIUM (5.4/10)

The decisive factor is authenticated management-plane access: to exploit this, the attacker typically already has a VPC path or public broker reach plus valid RabbitMQ management credentials. That makes this a meaningful post-compromise secret exposure issue, but not the kind of internet-facing pre-auth flaw that deserves a HIGH enterprise patching sprint on its own.

HIGH Exploit prerequisite assessment: authenticated management access is required

MEDIUM Exposure-population estimate across real Amazon MQ RabbitMQ deployments

Why this verdict

Start from 7.7 HIGH, then subtract for attacker position: this is PR:L against a management API, so the attacker is already an authenticated remote user rather than an unauthenticated external actor.
Subtract again for exposure narrowing: the broker must be Amazon MQ for RabbitMQ, the aws plugin must matter, and the management API must be reachable. That is a much smaller population than generic RabbitMQ or generic AWS services.
Hold it above LOW because the data at risk is real: readable files can include broker secrets, passwords, and TLS private keys, which can create durable follow-on access even though the bug itself is 'only' file disclosure.

Why not higher?

This is not pre-auth, not code execution, and not broadly wormable. The attacker needs network reachability to the management plane and valid credentials, which means most organizations would already be dealing with a prior control failure or an insider-equivalent scenario before this bug matters.

Why not lower?

Arbitrary file read on a broker is not harmless admin trivia. If the RabbitMQ process can read key material, passwords, or sensitive config, the resulting disclosure can enable credential reuse, TLS impersonation, and longer-lived access that outlasts the initial session.

05 · Compensating Control

What to do — in priority order.

Restrict management API reachability — Constrain 443/15671 to admin jump hosts, approved VPN ranges, or VPC-only access. For a MEDIUM verdict there is no mitigation SLA, but this is still the highest-value containment move because it removes the first exploit step without waiting for vendor maintenance.
Reduce management credentials — Review RabbitMQ users and automation accounts for management API rights; strip admin or policy-management permissions from any account that only publishes or consumes messages. There is no mitigation SLA — go straight to the 365-day remediation window, but access reduction should happen during normal credential hygiene work well before that patch deadline.
Disable the aws plugin where unused — If you are not using ARN-backed configuration, disable the plugin so /api/aws/arn/validate returns 405 and the vulnerable path is gone. Use this where operationally safe; if the broker depends on ARN resolution at startup, validate the fallback configuration first.
Rotate file-based secrets after exposure review — If the endpoint was reachable to untrusted admins, rotate any TLS private keys, passwords, or local secret files readable by the RabbitMQ process. Do this as part of remediation validation, because the patch stops future reads but does not invalidate already-stolen material.
Alert on validation endpoint use — Instrument reverse proxy, broker, and VPC logs to flag PUT /api/aws/arn/validate, especially request bodies containing arn:aws-debug:file or raw filesystem paths. For a niche authenticated flaw, targeted detections are often more practical than broad signature coverage.

What doesn't work

A generic internet perimeter scanner does not solve this; it may find port 15671/443, but it cannot confirm the CVE without valid credentials and endpoint-specific requests.
Rotating AMQP client passwords alone is not sufficient if file-based TLS keys or other local secrets may already have been read.
Relying on low EPSS as a reason to ignore exposure is not enough; EPSS is low because the reachable population is narrow, not because the underlying file read is benign once the prerequisites are met.

06 · Verification

Crowdsourced verification payload.

Run this from an auditor workstation or EC2 instance that can already reach the broker management API; for private brokers, use a host inside the same VPC or the documented proxy/tunnel path. Invoke it as ./check_cve_2026_9133.sh https://b-1234.mq.us-east-1.amazonaws.com:443 admin 'SuperSecret!' /etc/hostname; no root privileges are required, but you do need valid RabbitMQ management credentials and authorization to test the broker.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check_cve_2026_9133.sh
# Detects CVE-2026-9133 on an Amazon MQ RabbitMQ broker by safely probing
# the authenticated ARN validation endpoint with a benign file path.
#
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN / error / insufficient access

set -u

usage() {
  echo "Usage: $0 <base_url> <username> <password> [test_file]"
  echo "Example: $0 https://b-1234.mq.us-east-1.amazonaws.com:443 admin 'SuperSecret!' /etc/hostname"
}

if [ $# -lt 3 ]; then
  usage
  exit 2
fi

BASE_URL="$1"
USER="$2"
PASS="$3"
TEST_FILE="${4:-/etc/hostname}"
ENDPOINT="${BASE_URL%/}/api/aws/arn/validate"
BODY=$(printf '{"assume_role_arn":"arn:aws:iam::111122223333:role/does-not-matter","arns":["arn:aws-debug:file:%s"]}' "$TEST_FILE")
TMP_BODY=$(mktemp)
trap 'rm -f "$TMP_BODY"' EXIT

HTTP_CODE=$(curl -k -sS -u "$USER:$PASS" \
  -o "$TMP_BODY" \
  -w '%{http_code}' \
  -X PUT \
  -H 'content-type: application/json' \
  --data "$BODY" \
  "$ENDPOINT" 2>/dev/null)
CURL_RC=$?

if [ $CURL_RC -ne 0 ]; then
  echo "UNKNOWN - network or TLS error reaching $ENDPOINT"
  exit 2
fi

RESP=$(cat "$TMP_BODY")

case "$HTTP_CODE" in
  200)
    # Heuristic: if the debug scheme works, response often contains file content
    # or at least echoes the test path without rejecting the scheme.
    if echo "$RESP" | grep -qiE 'aws-debug:file|/etc/hostname|hostname|resolved|content|value'; then
      # Stronger signal: response does NOT reject the scheme and appears to process it.
      if ! echo "$RESP" | grep -qiE 'unsupported|invalid arn|invalid scheme|method not allowed|not allowed'; then
        echo "VULNERABLE - endpoint accepted debug ARN scheme; inspect response manually"
        exit 1
      fi
    fi
    # 200 but ambiguous response
    echo "UNKNOWN - endpoint reachable and authenticated, but response was inconclusive"
    echo "$RESP"
    exit 2
    ;;
  401|403)
    echo "UNKNOWN - authentication succeeded poorly or account lacks required management access (HTTP $HTTP_CODE)"
    exit 2
    ;;
  404)
    echo "PATCHED - validation endpoint not present"
    exit 0
    ;;
  405)
    echo "PATCHED - aws plugin disabled or method blocked (HTTP 405)"
    exit 0
    ;;
  *)
    if echo "$RESP" | grep -qiE 'unsupported|invalid arn|invalid scheme|unknown partition|aws-debug'; then
      echo "PATCHED - debug ARN scheme rejected"
      exit 0
    fi
    echo "UNKNOWN - unexpected HTTP status $HTTP_CODE"
    echo "$RESP"
    exit 2
    ;;
esac

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, identify every Amazon MQ for RabbitMQ broker that exposes the management API and uses ARN-backed configuration, then immediately cut that list down to the ones with public accessibility or broad admin credential distribution. For this MEDIUM reassessment there is no noisgate mitigation SLA — go straight to the 365-day remediation window; complete the vendor fix to rabbitmq-aws 0.2.1 or the corresponding managed-service update within the noisgate remediation SLA of 365 days, and rotate any file-based TLS keys or local secrets on brokers where untrusted admins could have reached /api/aws/arn/validate.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.