VYPR
← All advisories
Medium severity4.0NVD Advisory· Published Jun 10, 2026

CVE-2026-41714

CVE-2026-41714

Description

Spring AMQP's RabbitConnectionFactoryBean improperly handles amqps:// URIs, leading to TLS encryption without certificate or hostname validation.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Spring AMQP's `RabbitConnectionFactoryBean` improperly handles `amqps://` URIs, leading to TLS encryption without certificate or hostname validation.

Vulnerability

Applications using Spring AMQP versions 4.0.0 through 4.0.3, 3.2.0 through 3.2.10, 3.1.0 through 3.1.15, and 2.4.0 through 2.4.17 that configure their broker connection via RabbitConnectionFactoryBean.setUri("amqps://...") without also calling setUseSSL(true) will establish TLS encryption but bypass certificate validation and hostname verification [1].

Exploitation

An attacker with network access to the application can exploit this vulnerability by intercepting the connection to the RabbitMQ broker. By presenting a malicious TLS certificate, the attacker can trick the application into establishing an encrypted connection that appears legitimate, without the application performing any checks to verify the broker's identity [1].

Impact

Successful exploitation allows an attacker to perform man-in-the-middle attacks. This can lead to the disclosure of sensitive information transmitted between the application and the RabbitMQ broker, as the attacker can decrypt and potentially modify the traffic [1].

Mitigation

Users should upgrade to the following fixed versions: Spring AMQP 4.0.4 or 4.0.3.1, 3.2.11 or 3.2.10.1, 3.1.16, and 2.4.18. Versions that are no longer supported are also affected. No further mitigation steps are necessary [1].

References
  1. CVE-2026-41714: In Spring AMQP the `RabbitConnectionFactoryBean.setUri("amqps://...")` bypasses secure SSL setup, uses `TrustEverythingTrustManager`

AI Insight generated on Jun 10, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1
  • Spring Projects/AMQPllm-create
    Range: 4.0.0 - 4.0.3, 3.2.0 - 3.2.10, 3.1.0 - 3.1.15, 2.4.0 - 2.4.17

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

1