Jump to solution
Verify

Celery Documentation of "accept_content" configuration directive seems incorrect (Fix)

Fixed
Spec
Package
Celery
Fixed In
4.4.0rc5
Verdict
Status
Fixed
Safe for prod
No
Risk
Medium
Last verified
2026-02-09
Own content ratio
0.55
#4616 ai security serialization Updated: 2026-02-13
Issue #4616

The Fix

pip install celery==4.4.0rc5

Based on closed celery/celery issue #4616 · PR/commit linked

Production note: Most teams hit this during upgrades or environment changes. Roll out with a canary and smoke critical endpoints (health, OpenAPI/docs) before 100%.

Jump to Verify Open PR/Commit
@@ -182,8 +182,9 @@ A white-list of content-types/serializers to allow. the message will be discarded with an error. -By default any content type is enabled, including pickle and yaml, -so make sure untrusted parties don't have access to your broker. +By default only json is enabled but any content type can be added,
repro.py
accept_content Default: {'json'} (set, list, or tuple). A white-list of content-types/serializers to allow. If a message is received that’s not in this list then the message will be discarded with an error. By default any content type is enabled, including pickle and yaml, so make sure untrusted parties don’t have access to your broker. See Security for more.
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
fix.md
Option A — Upgrade to fixed release\npip install celery==4.4.0rc5\nWhen NOT to use: This fix should not be applied if the documentation is already correct.\n\n

Why This Fix Works in Production

  • Trigger: Documentation of "accept_content" configuration directive seems incorrect
  • Mechanism: The documentation incorrectly states that any content type is enabled by default
  • Why the fix works: Updates the documentation of the 'accept_content' configuration directive to clarify that by default only 'json' is enabled. (first fixed release: 4.4.0rc5).
Production impact:
  • If left unfixed, the same config can fail only in production (env differences), causing startup failures or partial feature outages.

Why This Breaks in Prod

  • The documentation incorrectly states that any content type is enabled by default
  • Production symptom (often without a traceback): Documentation of "accept_content" configuration directive seems incorrect

Proof / Evidence

  • GitHub issue: #4616
  • Fix PR: https://github.com/celery/celery/pull/4658
  • First fixed release: 4.4.0rc5
  • Reproduced locally: No (not executed)
  • Last verified: 2026-02-09
  • Confidence: 0.85
  • Did this fix it?: Yes (upstream fix exists)
  • Own content ratio: 0.55

Discussion

High-signal excerpts from the issue thread (symptoms, repros, edge-cases).

Jump to Sources Open on GitHub
“We just ran into this ourselves; it should definitely be changed.”
@rusty-udemy · 2018-04-09 · source
“@auvipy you mean a PR to change the documentation, right? If so I can do it. :-)”
@felipegeru · 2018-04-11 · source
“Just created the above PR (https://github.com/celery/celery/pull/4658).”
@felipegeru · 2018-04-11 · source

Failure Signature (Search String)

  • Documentation of "accept_content" configuration directive seems incorrect
  • If a message is received that’s not in this list then the message will be discarded with an error.
Copy-friendly signature
signature.txt
Failure Signature ----------------- Documentation of "accept_content" configuration directive seems incorrect If a message is received that’s not in this list then the message will be discarded with an error.

Error Message

Signature-only (no traceback captured)
error.txt
Error Message ------------- Documentation of "accept_content" configuration directive seems incorrect If a message is received that’s not in this list then the message will be discarded with an error.

Minimal Reproduction

repro.py
accept_content Default: {'json'} (set, list, or tuple). A white-list of content-types/serializers to allow. If a message is received that’s not in this list then the message will be discarded with an error. By default any content type is enabled, including pickle and yaml, so make sure untrusted parties don’t have access to your broker. See Security for more.

What Broke

Tasks using non-JSON serializers failed due to incorrect configuration.

Why It Broke

The documentation incorrectly states that any content type is enabled by default

Fix Options (Details)

Option A — Upgrade to fixed release Safe default (recommended)

pip install celery==4.4.0rc5

When NOT to use: This fix should not be applied if the documentation is already correct.

Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.

Fix reference: https://github.com/celery/celery/pull/4658

First fixed release: 4.4.0rc5

Last verified: 2026-02-09. Validate in your environment.

Get updates

We publish verified fixes weekly. No spam.

Subscribe

When NOT to Use This Fix

  • This fix should not be applied if the documentation is already correct.

Verify Fix

verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.

Did This Fix Work in Your Case?

Quick signal helps us prioritize which fixes to verify and improve.

Prevention

  • Capture the exact failing error string in logs and tests so you can reproduce via a minimal script.
  • Pin production dependencies and upgrade only with a reproducible test that hits the failing path.

Version Compatibility Table

VersionStatus
4.4.0rc5 Fixed

Related Issues

No related fixes found.

Cluster: celery:configuration-error Celery hub Celery best practices All hubs All clusters
Related clusters: Data consistency Duplicates Duplicate processing

Sources

We don’t republish the full GitHub discussion text. Use the links above for context.

Source & Disclaimer: Analysis derived from GitHub Issue #4616. Not affiliated with the library maintainers. Verify before production use.