CVE-2026-40971

When configured to use an SSL bundle, Spring Boot's RabbitMQ auto-configuration does not perform hostname verification when connecting to the RabbitMQ broker. Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14) per vendor advisory.

CVSS v3 5.0 MEDIUM

5.0^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 3.4

Attack Vector ADJACENT_NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://spring.io/security/cve-2026-40971

Configurations

No configuration.

History

27 Apr 2026, 23:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-27 23:16

Updated : 2026-04-28 20:11

NVD link : CVE-2026-40971

Mitre link : CVE-2026-40971

CVE.ORG link : CVE-2026-40971

JSON object : View

Products Affected

No product.

CWE

CWE-295

Improper Certificate Validation

5.0 /10