diff --git a/deps/rabbitmq_management/src/rabbit_mgmt_wm_bindings.erl b/deps/rabbitmq_management/src/rabbit_mgmt_wm_bindings.erl
index 6548b051f0..52b7036e9c 100644
--- a/deps/rabbitmq_management/src/rabbit_mgmt_wm_bindings.erl
+++ b/deps/rabbitmq_management/src/rabbit_mgmt_wm_bindings.erl
@@ -54,6 +54,10 @@ resource_exists(ReqData, {Mode, Context}) ->
 content_types_accepted(ReqData, Context) ->
     {[{'*', accept_content}], ReqData, Context}.
 
+%% Methods to add to the CORS header.
+%% This clause is called by rabbit_mgmt_cors:handle_options/2
+allowed_methods(undefined, undefined) ->
+    {[<<"HEAD">>, <<"GET">>, <<"POST">>, <<"OPTIONS">>], undefined, undefined};
 allowed_methods(ReqData, {Mode, Context}) ->
     {case Mode of
          source_destination -> [<<"HEAD">>, <<"GET">>, <<"POST">>, <<"OPTIONS">>];
diff --git a/deps/rabbitmq_management/src/rabbit_mgmt_wm_users_bulk_delete.erl b/deps/rabbitmq_management/src/rabbit_mgmt_wm_users_bulk_delete.erl
index 4600b325d4..32dddbccd3 100644
--- a/deps/rabbitmq_management/src/rabbit_mgmt_wm_users_bulk_delete.erl
+++ b/deps/rabbitmq_management/src/rabbit_mgmt_wm_users_bulk_delete.erl
@@ -41,7 +41,7 @@ content_types_provided(ReqData, Context) ->
    {rabbit_mgmt_util:responder_map(to_json), ReqData, Context}.
 
 allowed_methods(ReqData, Context) ->
-    {[<<"POST">>], ReqData, Context}.
+    {[<<"POST">>, <<"OPTIONS">>], ReqData, Context}.
 
 is_authorized(ReqData, Context) ->
     rabbit_mgmt_util:is_authorized_admin(ReqData, Context).
diff --git a/deps/rabbitmq_management/test/rabbit_mgmt_http_SUITE.erl b/deps/rabbitmq_management/test/rabbit_mgmt_http_SUITE.erl
index 57d6946f5c..80a9547d0a 100644
--- a/deps/rabbitmq_management/test/rabbit_mgmt_http_SUITE.erl
+++ b/deps/rabbitmq_management/test/rabbit_mgmt_http_SUITE.erl
@@ -2820,10 +2820,25 @@ cors_test(Config) ->
     {ok, {_, HdNoMaxAgeCORS, _}} = req(Config, options, "/overview",
                                        [{"origin", "https://rabbitmq.com"}, auth_header("guest", "guest")]),
     false = lists:keymember("access-control-max-age", 1, HdNoMaxAgeCORS),
+
+    %% Check OPTIONS method in all paths
+    check_cors_all_endpoints(Config),
     %% Disable CORS again.
     rabbit_ct_broker_helpers:rpc(Config, 0, application, set_env, [rabbitmq_management, cors_allow_origins, []]),
     passed.
 
+check_cors_all_endpoints(Config) ->
+    Endpoints = get_all_http_endpoints(),
+
+    [begin
+        ct:pal("Options for ~p~n", [EP]),
+        {ok, {{_, 200, _}, _, _}} = req(Config, options, EP, [{"origin", "https://rabbitmq.com"}])
+    end
+     || EP <- Endpoints].
+
+get_all_http_endpoints() ->
+    [ Path || {Path, _, _} <- rabbit_mgmt_dispatcher:dispatcher() ].
+
 vhost_limits_list_test(Config) ->
     [] = http_get(Config, "/vhost-limits", ?OK),