Description
RabbitMQ is a messaging and streaming broker. Prior to 3.13.14, 4.0.19, 4.1.10, and 4.2.5, the rabbitmq_management HTTP API accepts oversized valid JSON bodies on with_decode and direct_request paths because read_complete_body checks the accumulated size before the final chunk but not the final combined size. This issue is fixed in versions 3.13.14, 4.0.19, 4.1.10, and 4.2.5.
Published: 2026-07-10
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

No analysis available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Jul 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Rabbitmq
Rabbitmq rabbitmq-server
Vendors & Products Rabbitmq
Rabbitmq rabbitmq-server

Fri, 10 Jul 2026 20:45:00 +0000

Type Values Removed Values Added
Description RabbitMQ is a messaging and streaming broker. Prior to 3.13.14, 4.0.19, 4.1.10, and 4.2.5, the rabbitmq_management HTTP API accepts oversized valid JSON bodies on with_decode and direct_request paths because read_complete_body checks the accumulated size before the final chunk but not the final combined size. This issue is fixed in versions 3.13.14, 4.0.19, 4.1.10, and 4.2.5.
Title RabbitMQ management HTTP API accepts request bodies larger than configured max_http_body_size
Weaknesses CWE-770
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L'}


Subscriptions

Rabbitmq Rabbitmq-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-10T20:15:28.422Z

Reserved: 2026-06-24T02:21:33.809Z

Link: CVE-2026-57212

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-10T21:30:04Z

Weaknesses
  • CWE-770

    Allocation of Resources Without Limits or Throttling