CVE-2026-41714
MediumCVSS 4.0Exploitation Probability (EPSS)
Low risk3th percentile - higher than 3% of all known CVEs
Summary
Vulnerability in Spring AMQP causes applications using RabbitConnectionFactoryBean.setUri("amqps://...") without calling setUseSSL(true) to get TLS encryption with no certificate validation and no hostname verification.
Risk Assessment
A man-in-the-middle attacker can intercept and modify traffic between the application and the RabbitMQ broker, leading to data leakage or message integrity compromise.
Recommendation
Update Spring AMQP to version 4.0.4, 3.2.11, 3.1.16, or 2.4.18, or call setUseSSL(true) when configuring the connection.
Original NVD description (English source)
Applications that configure their broker connection via RabbitConnectionFactoryBean.setUri("amqps://...") without also calling setUseSSL(true) get TLS encryption with no certificate validation and no hostname verification. Affected versions: Spring AMQP 4.0.0 through 4.0.3; 3.2.0 through 3.2.10; 3.1.0 through 3.1.15; 2.4.0 through 2.4.17.

