Vulnerability in Spring Boot
CVE-2026-40971
When configured to use an SSL bundle, Spring Boot's RabbitMQ auto-configuration does not perform hostname verification when connecting to the RabbitMQ broker. Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14) per ve…
Vulnerability class: Improper Certificate Validation
EPSS: 0.001 (19.5th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 5.0 (Medium). Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L.
Affected products
- Spring Boot — versions 4.0.0, 3.5.0
- Vmware Spring_boot
Weakness classification (CWE)
References
- security@vmware.com (Vendor Advisory)
Frequently asked questions
- What is CVE-2026-40971?
- CVE-2026-40971 is a medium-severity vulnerability in Spring Boot, classified under Improper Certificate Validation. CVSS score: 5.0/10. Published 2026-04-27.
- How severe is CVE-2026-40971?
- Medium severity. CVSS v3 base score is 5.0 out of 10.