CVE Catalog

CVE-2026-41714

MediumCVSS 4.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.13%

3th percentile - higher than 3% of all known CVEs

Summary

Vulnerability in Spring AMQP causes applications using RabbitConnectionFactoryBean.setUri("amqps://...") without calling setUseSSL(true) to get TLS encryption with no certificate validation and no hostname verification.

Risk Assessment

A man-in-the-middle attacker can intercept and modify traffic between the application and the RabbitMQ broker, leading to data leakage or message integrity compromise.

Recommendation

Update Spring AMQP to version 4.0.4, 3.2.11, 3.1.16, or 2.4.18, or call setUseSSL(true) when configuring the connection.

Original NVD description (English source)

Applications that configure their broker connection via RabbitConnectionFactoryBean.setUri("amqps://...") without also calling setUseSSL(true) get TLS encryption with no certificate validation and no hostname verification. Affected versions: Spring AMQP 4.0.0 through 4.0.3; 3.2.0 through 3.2.10; 3.1.0 through 3.1.15; 2.4.0 through 2.4.17.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS