{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-57212","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2026-06-24T02:21:33.809Z","datePublished":"2026-07-10T20:15:28.422Z","dateUpdated":"2026-07-10T20:15:28.422Z"},"containers":{"cna":{"title":"RabbitMQ management HTTP API accepts request bodies larger than configured max_http_body_size","problemTypes":[{"descriptions":[{"cweId":"CWE-770","lang":"en","description":"CWE-770: Allocation of Resources Without Limits or Throttling","type":"CWE"}]}],"metrics":[{"cvssV4_0":{"attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"LOW","baseScore":7.1,"baseSeverity":"HIGH","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L","version":"4.0"}}],"references":[{"name":"https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-5cmq-vp28-xqrj","tags":["x_refsource_CONFIRM"],"url":"https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-5cmq-vp28-xqrj"},{"name":"https://github.com/rabbitmq/rabbitmq-server/pull/15712","tags":["x_refsource_MISC"],"url":"https://github.com/rabbitmq/rabbitmq-server/pull/15712"},{"name":"https://github.com/rabbitmq/rabbitmq-server/pull/15714","tags":["x_refsource_MISC"],"url":"https://github.com/rabbitmq/rabbitmq-server/pull/15714"},{"name":"https://github.com/rabbitmq/rabbitmq-server/commit/3976d148901bdfa82e1cd60b7a4534e073266ba5","tags":["x_refsource_MISC"],"url":"https://github.com/rabbitmq/rabbitmq-server/commit/3976d148901bdfa82e1cd60b7a4534e073266ba5"},{"name":"https://github.com/rabbitmq/rabbitmq-server/commit/b8fc2ef7c50a2797d15e1ea7cf34f290032303bb","tags":["x_refsource_MISC"],"url":"https://github.com/rabbitmq/rabbitmq-server/commit/b8fc2ef7c50a2797d15e1ea7cf34f290032303bb"},{"name":"https://github.com/rabbitmq/rabbitmq-server/releases/tag/v4.2.5","tags":["x_refsource_MISC"],"url":"https://github.com/rabbitmq/rabbitmq-server/releases/tag/v4.2.5"}],"affected":[{"vendor":"rabbitmq","product":"rabbitmq-server","versions":[{"version":">= 4.2.0, < 4.2.5","status":"affected"},{"version":">= 4.1.0, < 4.1.10","status":"affected"},{"version":">= 4.0.0, < 4.0.19","status":"affected"},{"version":">= 3.13.0, < 3.13.14","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2026-07-10T20:15:28.422Z"},"descriptions":[{"lang":"en","value":"RabbitMQ is a messaging and streaming broker. Prior to 3.13.14, 4.0.19, 4.1.10, and 4.2.5, the rabbitmq_management HTTP API accepts oversized valid JSON bodies on with_decode and direct_request paths because read_complete_body checks the accumulated size before the final chunk but not the final combined size. This issue is fixed in versions 3.13.14, 4.0.19, 4.1.10, and 4.2.5."}],"source":{"advisory":"GHSA-5cmq-vp28-xqrj","discovery":"UNKNOWN"}}}}