Description
Correlation IDs for replies in the RabbitTemplate.sendAndReceive() with the fixed reply queue are predictable due to internal simple counter.

Affected versions:
Spring AMQP 4.0.0 through 4.0.3; 3.2.0 through 3.2.10; 3.1.0 through 3.1.15; 2.4.0 through 2.4.17.
Published: 2026-06-09
Score: 4.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Spring AMQP’s sendAndReceive() uses a fixed reply queue and assigns correlation IDs by incrementing a simple counter. Because the counter is predictable, an attacker can guess the expected correlation ID for a reply, enabling them to send a forged response that will be accepted by the consumer. This type of reply poisoning can cause the application to process incorrect data or perform unintended actions, potentially leading to loss of confidentiality or integrity. The vulnerability is classified as CWE‑330, the use of an insecure, predictable random number generator.

Affected Systems

The flaw exists in Spring AMQP 4.0.0 through 4.0.3, 3.2.0 through 3.2.10, 3.1.0 through 3.1.15, and 2.4.0 through 2.4.17. Any deployment using these versions and relying on sendAndReceive() over a fixed reply queue is affected.

Risk and Exploitability

The CVSS score of 4.4 indicates low overall severity, and the EPSS score is currently not available, implying that the likelihood of exploitation has not been quantified. The vulnerability is not listed in the CISA KEV catalog. Exploitation would require an attacker with the ability to send messages to the affected RabbitMQ broker or to have network access to the AMQP client, so the attack vector is inferred to be either local network or remote depending on the broker’s exposure. No specific exploit code has been published, but the predictable IDs provide a clear attack path for an actor with sufficient network or application access.

Generated by OpenCVE AI on June 10, 2026 at 01:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Spring AMQP to 4.0.4 or newer, which removes the predictable counter and uses a secure correlation ID scheme.
  • If an upgrade is not immediately possible, configure the application to use a unique reply queue per consumer or a non‑sequential correlation ID algorithm to eliminate predictability.
  • Apply network segmentation or authentication controls to restrict who can send messages to the RabbitMQ broker, limiting the opportunity for an attacker to inject forged replies.

Generated by OpenCVE AI on June 10, 2026 at 01:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://spring.io/security/cve-2026-41701 cve-icon cve-icon
History

Wed, 10 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
Description Correlation IDs for replies in the RabbitTemplate.sendAndReceive() with the fixed reply queue are predictable due to internal simple counter. Affected versions: Spring AMQP 4.0.0 through 4.0.3; 3.2.0 through 3.2.10; 3.1.0 through 3.1.15; 2.4.0 through 2.4.17.
Title In Spring AMQP sequential correlation IDs enable reply poisoning on fixed reply queues
Weaknesses CWE-330
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-09T23:47:54.996Z

Reserved: 2026-04-22T06:21:22.982Z

Link: CVE-2026-41701

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T00:16:51.107

Modified: 2026-06-10T00:16:51.107

Link: CVE-2026-41701

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T01:30:18Z

Weaknesses