RabbitMQ auto-configuration with an SSL bundle disables TLS hostname verification

MEDIUM | APRIL 23, 2026 | CVE-2026-40971

Description

When configured to use an SSL bundle, Spring Boot's RabbitMQ auto-configuration does not perform hostname verification when connecting to the RabbitMQ broker.

Affected Spring Products and Versions

Spring Boot:

  • 4.0.0 - 4.0.5
  • 3.5.0 - 3.5.13

Mitigation

Users of affected versions should upgrade to the corresponding fixed version.
Fix versionAvailability
4.0.6OSS
3.5.14OSS

No further mitigation steps are necessary.

History

  • 2026-04-23: Initial vulnerability report published.

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all