Skip to content

Replace the RabbitMQ guest user

Severity: criticalApplies to: RabbitMQ 3.x / 4.x
The fix
Terminal window
# Create a real admin, then delete guest
rabbitmqctl add_user app_admin "$(openssl rand -base64 24)"
rabbitmqctl set_user_tags app_admin administrator
rabbitmqctl set_permissions -p / app_admin '.*' '.*' '.*'
rabbitmqctl delete_user guest

Every RabbitMQ install ships with a user named guest, password guest, holding the administrator tag and full permissions on the default virtual host. It is the single most universally known credential in the message-broker world, and scanners try it first.

RabbitMQ’s mitigation is real but narrow: guest can only connect over loopback. The loopback_users setting lists users restricted to local connections, and guest is on it by default. So a remote AMQP client presenting guest/guest is refused — the credential works only from the broker host itself.

That’s genuinely helpful, and it’s why a default RabbitMQ isn’t immediately ownable from the internet. But it’s a thin line, and there’s a specific way people cross it.

The moment someone needs a remote client to connect and reaches for guest, they hit the loopback restriction, and search for how to remove it. The answer they find is:

# rabbitmq.conf — DO NOT do this
loopback_users = none

That removes the loopback restriction from every user, including guest. Now guest/guest authenticates from anywhere, with administrator rights, on a broker that is very likely also exposing its ports. That is a fully open, admin-level message broker reachable from the internet — and it’s a configuration people apply deliberately, to fix a connection problem.

Never set loopback_users = none. If a remote client needs to authenticate, give it a real user. That’s the whole fix, and it’s less work than the dangerous one.

Leaving guest in place — even loopback-only — means the well-known credential still works for anything with local access, which includes a compromised co-located process. Once you have a real administrator account, delete it:

Terminal window
rabbitmqctl delete_user guest

If you can’t delete it for some legacy reason, at minimum change its password and strip its tags and permissions so it can do nothing.

The replacement for guest is not one shared admin that every app uses. That just renames the problem. Each application gets its own user, scoped to the virtual host and permissions it needs, with no administrator tag. The admin account you create here is for administration, used rarely — the same logic as Elasticsearch’s elastic and Postgres superuser.