CVE-2026-41714 describes an improper certificate validation vulnerability (CWE-295) in Spring AMQP. When applications configure their broker connection via RabbitConnectionFactoryBean.setUri("amqps://...") but omit calling setUseSSL(true), the TLS encryption is established without validating the server certificate or verifying the hostname. This flaw affects multiple Spring AMQP versions: 2.4.0 through 2.4.17, 3.1.0 through 3.1.15, 3.2.0 through 3.2.10, and 4.0.0 through 4.0.3. The vulnerability could allow an attacker to intercept or manipulate data by exploiting the lack of proper TLS validation. The CVSS v3.1 base score is 4.0, reflecting a medium severity with network attack vector, high attack complexity, no privileges required, no user interaction, and partial confidentiality impact. No vendor advisory or patch links are currently available, and the remediation level is unspecified.

The vulnerability allows TLS connections to be established without certificate validation or hostname verification when using the affected Spring AMQP versions with the specified configuration. This can lead to man-in-the-middle attacks where an attacker could intercept or eavesdrop on supposedly encrypted communication, potentially exposing sensitive data. The impact is limited to confidentiality loss; integrity and availability are not affected according to the CVSS vector. No known exploits in the wild have been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, ensure that when configuring RabbitConnectionFactoryBean with an amqps:// URI, the setUseSSL(true) method is explicitly called to enforce proper certificate validation and hostname verification. Avoid relying solely on setUri("amqps://...") without this additional configuration to prevent insecure TLS connections.