PatchSiren cyber security CVE debrief
CVE-2026-41701 Spring CVE debrief
CVE-2026-41701 is a medium-severity vulnerability in Spring AMQP. The issue arises from predictable correlation IDs for replies in the RabbitTemplate.sendAndReceive() method with a fixed reply queue. This predictability stems from an internal simple counter. The affected versions include Spring AMQP 4.0.0 through 4.0.3, 3.2.0 through 3.2.10, 3.1.0 through 3.1.15, and 2.4.0 through 2.4.17.
- Vendor
- Spring
- Product
- Spring AMQP
- CVSS
- MEDIUM 4.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Users of Spring AMQP, particularly those using versions 4.0.0 through 4.0.3, 3.2.0 through 3.2.10, 3.1.0 through 3.1.15, and 2.4.0 through 2.4.17, should be aware of this vulnerability.
Technical summary
The vulnerability is caused by the use of a simple internal counter to generate correlation IDs for replies in the RabbitTemplate.sendAndReceive() method with a fixed reply queue. This makes the correlation IDs predictable.
Defensive priority
MEDIUM
Recommended defensive actions
- Update to a non-affected version of Spring AMQP.
- Use a more secure method of generating correlation IDs.
Evidence notes
The CVE-2026-41701 record and associated references provide details on the vulnerability.
Official resources
-
CVE-2026-41701 CVE record
CVE.org
-
CVE-2026-41701 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-41701 was published on 2026-06-10T00:16:51.107Z and modified on 2026-06-10T19:24:04.320Z.