PatchSiren cyber security CVE debrief
CVE-2026-44393 OpenStack CVE debrief
CVE-2026-44393 is a HIGH severity vulnerability in OpenStack oslo.messaging 1.0.0 through 17.3.0. The RabbitMQ driver fails to perform TLS hostname verification when connecting to the message broker. When `ssl_ca_file` is configured, the driver enables certificate chain validation but does not pass the expected broker hostname into the underlying TLS stack. This allows an attacker who can intercept control-plane traffic to impersonate the RabbitMQ broker and perform a man-in-the-middle attack on RPC and notification traffic. All OpenStack services using oslo.messaging with RabbitMQ over TLS are affected.
- Vendor
- OpenStack
- Product
- oslo.messaging
- CVSS
- HIGH 7.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-04
- Original CVE updated
- 2026-06-04
- Advisory published
- 2026-06-04
- Advisory updated
- 2026-06-04
Who should care
Users of OpenStack oslo.messaging with RabbitMQ over TLS should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The oslo.messaging RabbitMQ driver does not perform TLS hostname verification when connecting to the message broker. This allows an attacker to impersonate the RabbitMQ broker and perform a man-in-the-middle attack on RPC and notification traffic.
Defensive priority
HIGH
Recommended defensive actions
- Apply patches or updates to oslo.messaging to enable proper TLS hostname verification.
- Review and update OpenStack services using oslo.messaging with RabbitMQ over TLS to ensure they are not vulnerable.
Evidence notes
The CVE-2026-44393 record and associated references provide evidence for this vulnerability.
Official resources
CVE-2026-44393 was published on 2026-06-04T16:16:38.497Z and modified on 2026-06-04T18:16:31.010Z.