CVE-2026-57212

HIGH

RabbitMQ management HTTP API accepts request bodies larger than configured max_http_body_size

Title source: cna
STIX 2.1

Description

RabbitMQ is a messaging and streaming broker. Prior to 3.13.14, 4.0.19, 4.1.10, and 4.2.5, the rabbitmq_management HTTP API accepts oversized valid JSON bodies on with_decode and direct_request paths because read_complete_body checks the accumulated size before the final chunk but not the final combined size. This issue is fixed in versions 3.13.14, 4.0.19, 4.1.10, and 4.2.5.

Scores

CVSS v3 7.7
EPSS 0.0029
EPSS Percentile 21.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-770
Status published
Products (5)
broadcom/rabbitmq_server 3.13.0 - 4.2.5
rabbitmq/rabbitmq-server >= 3.13.0, < 3.13.14
rabbitmq/rabbitmq-server >= 4.0.0, < 4.0.19
rabbitmq/rabbitmq-server >= 4.1.0, < 4.1.10
rabbitmq/rabbitmq-server >= 4.2.0, < 4.2.5
Published Jul 10, 2026
Tracked Since Jul 11, 2026