CVE-2026-44393
7.4 HIGHAn issue was discovered in OpenStack oslo.messaging 1.0.0 through 17.3.0
Published: 2026-06-04 · Last updated: 2026-06-04
Severity and scoring
- CVSS
- 7.4 HIGH
- Vector
- CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
- CWE
- CWE-297
Description
An issue was discovered in OpenStack oslo.messaging 1.0.0 through 17.3.0. The oslo.messaging RabbitMQ driver does not perform TLS hostname verification when connecting to the message broker. When ssl_ca_file is configured, the driver enables certificate chain validation but does not pass the expected broker hostname into the underlying TLS stack. Any certificate signed by the deployment CA is accepted regardless of hostname, allowing an attacker who can intercept control-plane traffic to impersonate the RabbitMQ broker and perform a man-in-the-middle attack on RPC and notification traffic. All OpenStack services using oslo.messaging with RabbitMQ over TLS are affected.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-35563 — It was identified that the LDAP client implementation in version 2.1.7 does not verify if the server certificate matches the intended LDA... (8.5 HIGH)
- CVE-2026-42790 — Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_cert and public_key modules) allows a DNS nameConstraints ... (8.1 HIGH)
- CVE-2026-44467 — The Claude Desktop app gives you Claude Code with a graphical interface built for running multiple sessions side by side (6.8 MEDIUM)
- CVE-2025-25253 — An Improper Validation of Certificate with Host Mismatch vulnerability [CWE-297] in FortiProxy version 7.6.1 and below, version 7.4.8 and... (7.5 HIGH)
- CVE-2024-12925 — Improper Validation of Certificate with Host Mismatch vulnerability in Akınsoft QR Menü allows HTTP Response Splitting (7.3 HIGH)