CVE-2026-41701— In Spring AMQP sequential correlation IDs enable reply poisoning on fixed reply queues
Affected Version Matrix 4
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Spring | Spring AMQP | 4.0.0< 4.0.4 | affected |
3.2.0< 3.2.11 | affected | ||
3.1.0< 3.1.16 | affected | ||
2.4.0< 2.4.18 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-41701
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
In Spring AMQP sequential correlation IDs enable reply poisoning on fixed reply queues
Source: NVD (National Vulnerability Database)
Vulnerability Description
Correlation IDs for replies in the RabbitTemplate.sendAndReceive() with the fixed reply queue are predictable due to internal simple counter. Affected versions: Spring AMQP 4.0.0 through 4.0.3; 3.2.0 through 3.2.10; 3.1.0 through 3.1.15; 2.4.0 through 2.4.17.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
使用不充分的随机数
Source: NVD (National Vulnerability Database)
Vulnerability Title
VMware Spring AMQP 安全特征问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
VMware Spring AMQP是美国威睿(VMware)公司的一个消息队列集成框架。 VMware Spring AMQP存在安全特征问题漏洞,该漏洞源于RabbitTemplate.sendAndReceive()中使用固定回复队列的回复关联ID因内部简单计数器而可预测。以下版本受到影响:4.0.0至4.0.3版本、3.2.0至3.2.10版本、3.1.0至3.1.15版本和2.4.0至2.4.17版本。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Spring | Spring AMQP | 4.0.0 ~ 4.0.4 | - |
II. Public POCs for CVE-2026-41701
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-41701
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-41701 (1)
Same Patch Batch · Spring · 2026-06-09 · 51 CVEs total
| CVE-2026-41717 | 8.1 HIGH | Spring Data MongoDB - SpEL Expression Injection via Annotated Query Parameter Binding |
| CVE-2026-41732 | 8.1 HIGH | In Spring for Apache Pulsar, overly broad trusted-package matching in header mapper expose |
| CVE-2026-41855 | 8.1 HIGH | Spring Framework Unsafe Deserialization via Jackson JMS Converters |
| CVE-2026-41729 | 8.1 HIGH | Spring Data REST SpEL Injection via Map Key in JSON Patch |
| CVE-2026-41731 | 8.1 HIGH | In Spring for Apache Kafka, overly broad trusted-package matching in header mappers expose |
| CVE-2026-41003 | 7.6 HIGH | Unencoded HTML Outputs in Spring Security May Allow Cross-Site Scripting |
| CVE-2026-41850 | 7.5 HIGH | Spring Framework Algorithmic Denial of Service via SpEL Expressions |
| CVE-2026-41007 | 7.5 HIGH | Spring HATEOAS heap exhaustion through unbounded internal caching |
| CVE-2026-41006 | 7.5 HIGH | Spring HATEOAS Collection+JSON/UBER deserializers do not honor Jackson configuration |
| CVE-2026-41849 | 7.5 HIGH | Spring Framework Denial of Service via Integer Overflow in SpEL Expressions |
| CVE-2026-41842 | 7.5 HIGH | Spring Framework Denial of Service via Versioned Resources in Spring MVC and WebFlux |
| CVE-2026-41728 | 7.5 HIGH | Spring Data REST JSON Patch bypasses Jackson read-only property protection on nested objec |
| CVE-2026-41695 | 7.5 HIGH | Denial of Service in Spring Data Commons Property Path Resolution |
| CVE-2026-41716 | 7.5 HIGH | Spring Data web support unbounded negative-result cache keyed on attacker-supplied propert |
| CVE-2026-40988 | 7.5 HIGH | Unbounded DEFLATE Inflation in SAML 2.0 Service Provider |
| CVE-2026-40983 | 7.5 HIGH | Micrometer gRPC server instrumentation DoS vulnerability |
| CVE-2026-40984 | 7.5 HIGH | Micrometer HTTP server instrumentations DoS vulnerability |
| CVE-2026-41720 | 7.4 HIGH | Authentication Bypass with Empty Password in Spring LDAP |
| CVE-2026-40993 | 7.3 HIGH | Unfiltered Java Native Deserialization of SAML 2.0 Asserting Party Credentials BLOB Databa |
| CVE-2026-41845 | 7.1 HIGH | Spring Framework Cross-site Scripting via JavaScriptUtils |
Showing top 20 of 51 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same vendor: Spring
- CVE-2026-47825
Spring Cloud Gateway Server Forwards Headers from Untrusted - CVE-2026-41708
Spring Cloud Sleuth instrumentation of Spring TX DoS vulnera - CVE-2026-47835
Spring AI vector store metadata filtering to handle special - CVE-2026-41856
Spring GraphQL Annotation Detection Vulnerability - CVE-2026-41700
Cross-Site WebSocket Hijacking in Spring for GraphQL
Same weakness: CWE-330
- CVE-2026-45673
Netty: DNS Cache Poisoning due to Predictable PRNG and Defau - CVE-2026-41838
Spring Framework Predictable Session ID in WebSocket Module - CVE-2026-41207
netty-incubator-codec-ohttp's HPKEContext operations may pro - CVE-2026-50208
Permissive TrustAllCerts TLS Verification - CVE-2026-44054
Predictable afpd session token
V. Comments for CVE-2026-41701
No comments yet