Bulletin ID: 2026-034-AWS
Scope: AWS
Content Type: Important (requires attention)
Publication Date: 05/20/2026 12:45 PM PDT
 

Description:

rabbitmq-aws is a RabbitMQ plugin that resolves AWS ARNs in broker configuration at startup, fetching secrets (e.g., TLS certificates, private keys, passwords) from AWS services (Secrets Manager, S3, ACM Private CA) and passing them in-memory to RabbitMQ. We identified CVE-2026-9133, an active debug code issue in the plugin's ARN resolver. A debug ARN scheme (arn:aws-debug:file) accepted by the PUT /api/aws/arn/validate validation endpoint might allow remote authenticated users to perform arbitrary file reads on any file accessible to the RabbitMQ process. The debug code was inadvertently shipped in production builds with no mechanism to disable it.

Impacted versions: >=0.1.0, <=0.2.0

Resolution:

This issue has been addressed in rabbitmq-aws version 0.2.1. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes. We also recommend rotating any secrets stored in files to which the RabbitMQ process had read access.

Workarounds:

The plugin can be disabled with rabbitmq-plugins disable aws. This removes the validation endpoint so that any further PUT requests return 405 (Method Not Allowed) and the requested ARNs are not fetched. Note that disabling the plugin also removes ARN resolution at startup, meaning the broker will need to fall back to filesystem-based certificate configuration.

References:

• CVE-2026-9133
• GHSA-8554-wg4r-7hxm

Please email aws-security@amazon.com with any security questions or concerns.