CVE-2026-57212
Received Received - Intake

Memory Corruption in RabbitMQ Management API

Vulnerability report for CVE-2026-57212, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

RabbitMQ is a messaging and streaming broker. Prior to 3.13.14, 4.0.19, 4.1.10, and 4.2.5, the rabbitmq_management HTTP API accepts oversized valid JSON bodies on with_decode and direct_request paths because read_complete_body checks the accumulated size before the final chunk but not the final combined size. This issue is fixed in versions 3.13.14, 4.0.19, 4.1.10, and 4.2.5.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-11
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
rabbitmq rabbitmq_management to 3.13.14 (exc)
rabbitmq rabbitmq_management to 4.0.19 (exc)
rabbitmq rabbitmq_management to 4.1.10 (exc)
rabbitmq rabbitmq_management to 4.2.5 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects the RabbitMQ management HTTP API in versions prior to 3.13.14, 4.0.19, 4.1.10, and 4.2.5. The issue occurs because the API accepts oversized valid JSON bodies on the with_decode and direct_request paths. The root cause is that the function read_complete_body checks the accumulated size of the JSON body before the final chunk is received, but it does not check the final combined size after all chunks are received. This allows an attacker to send an oversized JSON body that bypasses size checks.

Impact Analysis

The vulnerability can lead to potential denial of service or resource exhaustion because oversized JSON bodies may be processed without proper size validation. This can cause the RabbitMQ management API to consume excessive memory or processing resources, potentially impacting the availability and stability of the messaging broker service.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade RabbitMQ to one of the fixed versions: 3.13.14, 4.0.19, 4.1.10, or 4.2.5.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57212. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart