Critical Vulnerabilities in Spring Boot's SSL Configuration for Elasticsearch and RabbitMQ

Critical Vulnerabilities in Spring Boot's SSL Configuration for Elasticsearch and RabbitMQ

First seen 27 Apr 2026, 18:01 UTC spring.io 73% similarity 70.5

Article Content

Browse articles
ThreatCluster

Two critical vulnerabilities have been identified in Spring Boot's auto-configuration for Elasticsearch and RabbitMQ. CVE-2026-40970 affects Elasticsearch, while CVE-2026-40971 impacts RabbitMQ. Both vulnerabilities occur when configured to use an SSL bundle, leading to the disabling of TLS hostname verification during connections to their respective servers. Users of affected versions are advised to upgrade to fixed versions immediately. The vulnerabilities were reported by Yu Bao from PayPal. No further mitigation steps are necessary beyond upgrading. The issues could potentially expose users to man-in-the-middle attacks if exploited. The vulnerabilities were disclosed on April 27, 2026.

Key Points: • CVE-2026-40970 and CVE-2026-40971 disable TLS hostname verification in Spring Boot. • Affected systems include Elasticsearch and RabbitMQ when using SSL bundles. • Immediate upgrades to fixed versions are required to mitigate these vulnerabilities.

ThreatCluster AI

Timeline

2026-04-27
CVE-2026-40970 and CVE-2026-40971 disclosed
2026-04-27
Users advised to upgrade to fixed versions

Community

Browse all →