Arbitrary messages can be sent to celery workers regardless of ownership.
Tower does not set a secure channel, as it is using the default insecure configuration channel settings for messaging celery workers from RabbitMQ. The actual configuration setting that controls the channel securely is BROKER_URL, but Tower sets wrongly as CHANNEL_BROKER_URL, which does nothing.
This could lead in data leak of sensitive information such as passwords as well as DoS attacks by deleting projects or inventory files.
Red Hat CloudForms versions 4.5 and 4.6 ship an ansible-tower which correctly sets the security channel by default. Red Hat CloudForms version 4.7 ships ansible-tower 3.3.3 which already contains the fix.