Description
When configured to use an SSL bundle, Spring Boot's RabbitMQ auto-configuration does not perform hostname verification when connecting to the RabbitMQ broker.

Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14) per vendor advisory.
Published: 2026-04-27
Score: 5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Man-in-the-Middle via skipped hostname verification
Action: Patch Now
AI Analysis

Impact

Spring Boot’s auto‑configuration for RabbitMQ allows an SSL bundle but fails to perform hostname verification, creating an improper certificate validation weakness (CWE‑295). This means a malicious broker or network attacker can impersonate the intended RabbitMQ broker, potentially intercepting or altering traffic between the Spring Boot application and the broker. The reported CVSS score of 5 indicates a moderate risk of data confidentiality and integrity compromise.

Affected Systems

Spring Boot 4.0.0 through 4.0.5 and 3.5.0 through 3.5.13 are affected; the vulnerability is fixed in Spring Boot 4.0.6 and 3.5.14 respectively.

Risk and Exploitability

The vulnerability can be exploited when an application is configured to use an SSL bundle for RabbitMQ connections, typically over a network that could be monitored or controlled by an adversary. Since hostname verification is not performed, an attacker who can influence the broker endpoint can conduct a man‑in‑the‑middle attack. With a CVSS score of 5 and no EPSS data, exploitation likelihood is uncertain but the lack of KEV listing suggests no widespread active exploitation yet. The risk remains moderate and warrants timely remediation.

Generated by OpenCVE AI on April 28, 2026 at 12:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Spring Boot to 4.0.6 or later, or to 3.5.14 or later, where the hostname verification check is restored.
  • If an immediate upgrade is not possible, avoid using an SSL bundle that is not trusted or remove the SSL configuration until the patch is applied.
  • After applying the patch or workaround, verify that the Spring Boot application is establishing TLS connections with proper certificate chains and that the broker’s hostname matches the presented certificate.

Generated by OpenCVE AI on April 28, 2026 at 12:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9vc8-qppq-wvxc Spring Boot's RabbitMQ auto-configuration doesn't perform hostname verification when connecting to the RabbitMQ broker
History

Thu, 14 May 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Vmware
Vmware spring Boot
CPEs cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*
Vendors & Products Vmware
Vmware spring Boot

Mon, 04 May 2026 12:15:00 +0000

Type Values Removed Values Added
Title Hostname Verification Bypass in Spring Boot RabbitMQ SSL Connections Spring Boot: Spring Boot: Information disclosure and data tampering via missing hostname verification
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 28 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Title Hostname Verification Bypass in Spring Boot RabbitMQ SSL Connections
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 28 Apr 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Spring
Spring spring Boot
Vendors & Products Spring
Spring spring Boot

Mon, 27 Apr 2026 23:00:00 +0000

Type Values Removed Values Added
Description When configured to use an SSL bundle, Spring Boot's RabbitMQ auto-configuration does not perform hostname verification when connecting to the RabbitMQ broker. Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14) per vendor advisory.
Weaknesses CWE-295
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Spring Spring Boot
Vmware Spring Boot
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-04-28T12:46:29.029Z

Reserved: 2026-04-16T02:18:56.133Z

Link: CVE-2026-40971

cve-icon Vulnrichment

Updated: 2026-04-28T12:46:25.508Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-27T23:16:03.403

Modified: 2026-05-14T16:06:19.030

Link: CVE-2026-40971

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-27T22:45:13Z

Links: CVE-2026-40971 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T13:00:15Z

Weaknesses