Description
Applications that configure their broker connection via RabbitConnectionFactoryBean.setUri("amqps://...") without also calling setUseSSL(true) get TLS encryption with no certificate validation and no hostname verification.

Affected versions:
Spring AMQP 4.0.0 through 4.0.3; 3.2.0 through 3.2.10; 3.1.0 through 3.1.15; 2.4.0 through 2.4.17.
Published: 2026-06-09
Score: 4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Spring AMQP clients that call RabbitConnectionFactoryBean.setUri('amqps://...') without also enabling SSL through setUseSSL(true) establish TLS connections that bypass certificate validation and hostname verification, using a TrustEverythingTrustManager. Based on the description, this flaw allows an attacker on the network path to inject or eavesdrop on broker traffic, potentially exposing credentials, messages, and sensitive data without the client recognizing the misconfiguration. The weakness is a classic example of insecure configuration leading to loss of confidentiality and integrity of data in transit.

Affected Systems

Spring: Spring AMQP versions 4.0.0 through 4.0.3, 3.2.0 through 3.2.10, 3.1.0 through 3.1.15, and 2.4.0 through 2.4.17 are affected. These include all builds released within those version ranges.

Risk and Exploitability

The CVSS score is 4, reflecting low to moderate risk. The EPSS score is not available, and KEV does not list this vulnerability, suggesting it is not a widely exploited threat yet. Based on the description, an attacker positioned between the client and broker could exploit the insecure TLS settings. Because the flaw is a configuration oversight, applying updates mitigates the risk.

Generated by OpenCVE AI on June 10, 2026 at 01:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Spring AMQP to the latest release that enforces proper TLS handling (e.g., 4.0.4 or newer).
  • After configuring the URI, explicitly call setUseSSL(true) so that certificate and hostname verification are performed.
  • Ensure that the application uses the default TrustManager or a custom one that validates broker certificates and verifies the host name; avoid using TrustEverythingTrustManager or empty validation blocks.

Generated by OpenCVE AI on June 10, 2026 at 01:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://spring.io/security/cve-2026-41714 cve-icon cve-icon
History

Wed, 10 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
Description Applications that configure their broker connection via RabbitConnectionFactoryBean.setUri("amqps://...") without also calling setUseSSL(true) get TLS encryption with no certificate validation and no hostname verification. Affected versions: Spring AMQP 4.0.0 through 4.0.3; 3.2.0 through 3.2.10; 3.1.0 through 3.1.15; 2.4.0 through 2.4.17.
Title In Spring AMQP the RabbitConnectionFactoryBean.setUri("amqps://...") bypasses secure SSL setup, uses TrustEverythingTrustManager
Weaknesses CWE-295
References
Metrics cvssV3_1

{'score': 4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-09T23:48:16.317Z

Reserved: 2026-04-22T06:21:37.020Z

Link: CVE-2026-41714

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T00:16:51.450

Modified: 2026-06-10T00:16:51.450

Link: CVE-2026-41714

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T02:00:13Z

Weaknesses