CVE-2026-41714
Received Received - Intake
Insecure TLS Configuration in Spring AMQP

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: VMware

Description
Applications that configure their broker connection via RabbitConnectionFactoryBean.setUri("amqps://...") without also calling setUseSSL(true) get TLS encryption with no certificate validation and no hostname verification. Affected versions: Spring AMQP 4.0.0 through 4.0.3; 3.2.0 through 3.2.10; 3.1.0 through 3.1.15; 2.4.0 through 2.4.17.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-41714
EUVD
EUVD-2026-35898
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
spring amqp From 4.0.0 (inc) to 4.0.3 (inc)
spring amqp From 3.2.0 (inc) to 3.2.10 (inc)
spring amqp From 3.1.0 (inc) to 3.1.15 (inc)
spring amqp From 2.4.0 (inc) to 2.4.17 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-295 The product does not validate, or incorrectly validates, a certificate.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41714 is a security vulnerability in Spring AMQP where configuring a broker connection using RabbitConnectionFactoryBean.setUri("amqps://...") without also calling setUseSSL(true) results in TLS encryption being enabled but with no certificate validation or hostname verification.

This happens because the system defaults to using TrustEverythingTrustManager, which bypasses the secure SSL setup, effectively disabling important security checks.

Affected versions include Spring AMQP 4.0.0 through 4.0.3, 3.2.0 through 3.2.10, 3.1.0 through 3.1.16, and 2.4.0 through 2.4.17.

Impact Analysis

This vulnerability can impact you by allowing TLS encryption to be used without proper certificate validation or hostname verification, which undermines the security guarantees of TLS.

As a result, an attacker could perform man-in-the-middle attacks, intercepting or tampering with the data transmitted between your application and the broker.

This could lead to exposure of sensitive information or unauthorized access to your messaging infrastructure.

Mitigation Strategies

The recommended mitigation is to upgrade to the fixed versions of Spring AMQP.

  • Upgrade to version 4.0.4 (OSS) or 4.0.3.1 (Commercial)
  • Upgrade to version 3.2.11 (OSS) or 3.2.10.1 (Commercial)
  • Upgrade to version 3.1.16 (Commercial)
  • Upgrade to version 2.4.18 (Commercial)

No additional mitigation steps are required after upgrading.

Compliance Impact

This vulnerability results in TLS encryption being enabled without certificate validation or hostname verification, effectively bypassing secure SSL setup.

Such a lack of proper encryption validation can lead to potential data interception or man-in-the-middle attacks, which may compromise the confidentiality and integrity of sensitive data.

Consequently, this could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strong protections for data in transit to ensure privacy and security.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41714. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart