It was found that RabbitMQ's MQTT (MQ Telemetry Transport) connection authentication with a username/password pair succeeds if an existing username is provided but the password is omitted from the connection request. Connections that use TLS with a client-provided certificate are not affected.
Created rabbitmq-server tracking bugs for this issue:
Affects: epel-all [bug 1409749]
Affects: fedora-all [bug 1409750]
https://github.com/rabbitmq/rabbitmq-mqtt/issues/96, This seems to be upstream fix
Indeed we don't use MQTT in our OpenStack configuration, so it was decided that the impact of this issue is negligibly low.
It's possible to backport the fix to OSP10 though.