Let's consider the default setup of a RabbitMQ instance. It comes with a default guest user (with a guest password) known by anyone with basic knowledge about the broker. Moreover, this user has an administrator tag giving them full access to administer the broker, and, even worse, if the RabbitMQ instance port is visible to the outside world, remote commands can be executed using the rabbitmqctl utility on that workstation using the eval command. For this reason, it is advisable (not to say mandatory) to remove the guest user in production deployments. Although the latest versions of RabbitMQ allow only localhost access for the guest user, this still imposes a high risk for insider attacks. RabbitMQ stores information about users ...