Hostname Verification Flaw in Spring Boot RabbitMQ Configuration by Pivotal Software
CVE-2026-40971

5MEDIUM

Key Information:

Vendor: Spring
Status: Spring Boot
Vendor: CVE Published:; 27 April 2026

What is CVE-2026-40971?

Spring Boot's RabbitMQ auto-configuration feature has a vulnerability that fails to validate the hostname when using an SSL bundle for connections to the RabbitMQ broker. This oversight can potentially allow attackers to intercept or manipulate communication by impersonating the RabbitMQ server. The issue affects versions 4.0.0 through 4.0.5 and 3.5.0 through 3.5.13, with fixes provided in versions 4.0.6 and 3.5.14 respectively. Developers should ensure they upgrade to the patched versions to safeguard against this security risk.

Affected Version(s)

Spring Boot 4.0.0 < 4.0.6

Spring Boot 3.5.0 < 3.5.14

References

https://spring.io/security/cve-2026-40971

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Adjacent Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 27, 2026
Vulnerability Reserved
Apr 16, 2026

CVE-2026-40971 Data

JSON