CVE-2026-41714

MEDIUM 4.0

In Spring AMQP the RabbitConnectionFactoryBean.setUri("amqps://...") bypasses secure SSL setup, uses TrustEverythingTrustManager

CVSS Score

4.0

EPSS Score

0.0%

EPSS Percentile

0th

Applications that configure their broker connection via RabbitConnectionFactoryBean.setUri("amqps://...") without also calling setUseSSL(true) get TLS encryption with no certificate validation and no hostname verification. Affected versions: Spring AMQP 4.0.0 through 4.0.3; 3.2.0 through 3.2.10; 3.1.0 through 3.1.15; 2.4.0 through 2.4.17.

CWE	CWE-295
Vendor	spring
Product	spring amqp
Ecosystems	Java Spring
Industries	TechnologyEnterprise
Published	Jun 9, 2026

Stay Ahead of the Next One

Get instant alerts for spring spring amqp

Be the first to know when new medium vulnerabilities affecting spring spring amqp are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

None

Availability

None

Affected Versions

Spring / Spring AMQP

4.0.0 < 4.0.4 3.2.0 < 3.2.11 3.1.0 < 3.1.16 2.4.0 < 2.4.18

References

NVD ↗ CVE.org ↗ EPSS Data ↗

spring.io: https://spring.io/security/cve-2026-41714