CVE-2026-44393: OpenStack oslo.messaging RabbitMQ TLS Hostname Verification Bypass
OpenStack's oslo.messaging library contains a critical flaw in how it validates TLS certificates when connecting to RabbitMQ brokers. The driver accepts any certificate signed by your organization's CA without checking that it actually belongs to the RabbitMQ server you're trying to reach. This means an attacker positioned on your network could intercept traffic, present a valid (but wrong) certificate, and trick OpenStack services into sending sensitive control-plane messages to the attacker instead of RabbitMQ. The vulnerability affects all versions from 1.0.0 through 17.3.0.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.4 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
- Weaknesses (CWE)
- CWE-295, CWE-297
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-30
NVD description (verbatim)
An issue was discovered in OpenStack oslo.messaging 1.0.0 through 17.3.0. The oslo.messaging RabbitMQ driver does not perform TLS hostname verification when connecting to the message broker. When ssl_ca_file is configured, the driver enables certificate chain validation but does not pass the expected broker hostname into the underlying TLS stack. Any certificate signed by the deployment CA is accepted regardless of hostname, allowing an attacker who can intercept control-plane traffic to impersonate the RabbitMQ broker and perform a man-in-the-middle attack on RPC and notification traffic. All OpenStack services using oslo.messaging with RabbitMQ over TLS are affected.
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The oslo.messaging RabbitMQ driver implements certificate chain validation when ssl_ca_file is configured, but fails to perform hostname verification against the peer certificate's Subject Alternative Name (SAN) or Common Name (CN). The underlying TLS library receives the CA bundle for validation but never receives the expected broker hostname, preventing it from enforcing that the presented certificate matches the intended target. This is a textbook hostname verification bypass (CWE-295, CWE-297). An attacker with network access to the control plane can forge or intercept connections and present a valid certificate (signed by the deployment's internal CA) without triggering validation failure. The vulnerability is transport-layer and affects all RPC and notification channels using oslo.messaging with RabbitMQ and TLS.
Business impact
OpenStack deployments using RabbitMQ with TLS are exposed to man-in-the-middle attacks on inter-service communication. An attacker gaining access to the control-plane network could intercept and manipulate RPC calls between compute, network, storage, and identity services, potentially leading to unauthorized resource provisioning, data exfiltration, lateral movement, or denial of service. Tenants and services relying on oslo.messaging for task coordination and notifications face integrity and confidentiality compromise. This is particularly severe in multi-tenant cloud environments where control-plane compromise cascades to tenant isolation failures.
Affected systems
All OpenStack deployments running oslo.messaging versions 1.0.0 through 17.3.0 with RabbitMQ configured over TLS (with ssl_ca_file set) are vulnerable. This includes Nova, Neutron, Cinder, Glance, Keystone, and any other OpenStack service using oslo.messaging for RPC or notification transport. The vulnerability is active whenever ssl_ca_file is configured to enable certificate chain validation. Deployments using TLS without ssl_ca_file (self-signed or no validation) are also affected but with different threat models. Non-RabbitMQ brokers (e.g., AMQP 1.0 via QPID) are not affected by this specific driver issue.
Exploitability
Exploitation requires network access to the control-plane traffic path (e.g., ARP spoofing, BGP hijacking, compromised intermediate switch, or cloud provider infrastructure access). The attacker must also possess or generate a certificate signed by the target deployment's internal CA. Given the CVSS score of 7.4 (HIGH) with AV:N and AC:H, real-world exploitation is feasible in environments where control-plane network segmentation is weak or where an insider already has certificate access. No authentication or user interaction is required once the attacker is positioned. Public exploit code is not known to exist, but the vulnerability is straightforward to weaponize once access is achieved.
Remediation
Upgrade oslo.messaging to a patched version (verify against the vendor advisory for the specific version). After patching, the driver will perform hostname verification, rejecting certificates that do not match the configured RabbitMQ broker hostname. Organizations should also audit network segmentation to ensure control-plane traffic is isolated from untrusted networks, implement certificate pinning if possible, and monitor for suspicious certificate validation errors in oslo.messaging logs post-patch.
Patch guidance
Consult the official OpenStack release notes and oslo.messaging repository for patched versions addressing this vulnerability. Patches are expected to add hostname verification logic to the RabbitMQ driver's TLS connection code. Test patches in a staging environment mirroring your production RabbitMQ and oslo.messaging configuration before deploying. Verify that your RabbitMQ broker hostname matches the certificate's SAN/CN after patching. Rolling updates to OpenStack services should be coordinated to minimize message broker unavailability. Monitor service logs for any TLS validation errors during and after the upgrade.
Detection guidance
Look for repeated TLS or certificate-related errors in oslo.messaging logs that correspond to legitimate RabbitMQ broker connections—these may indicate ongoing exploitation attempts. Network-based detection should monitor for unusual certificate presentations from RabbitMQ endpoints or connections to unexpected IP addresses claiming to be the broker. Monitor for changes in RabbitMQ broker certificates or CA trust anchors in deployed configurations. Post-patch, legitimate hostname mismatches will surface quickly; pre-patch, such errors may not appear even under attack. Implement network segmentation and microsegmentation to limit attacker positioning; monitor for ARP spoofing or DNS poisoning in the control-plane VLAN.
Why prioritize this
This vulnerability merits urgent attention for any OpenStack operator using RabbitMQ over TLS. The combination of HIGH severity (CVSS 7.4), the critical role of oslo.messaging in OpenStack orchestration, and the relative ease of exploitation (if positioned) in segmentation-weak environments makes it a top remediation priority. While KEV status is not active, the vulnerability directly enables control-plane compromise and lateral movement. Organizations should treat this as a P1 item for patching and network hardening.
Risk score, explained
CVSS 3.1 score of 7.4 (HIGH) reflects: Network-accessible attack vector (AV:N), high complexity due to required positioning (AC:H), no authentication or user interaction needed (PR:N, UI:N), impact scope unchanged (S:U), and high confidentiality and integrity impact (C:H, I:H) with no availability impact (A:N). The score appropriately weights the seriousness of control-plane compromise but accounts for the prerequisite of network access. Organizations with strong segmentation may experience lower practical risk, while those without may face elevated threat.
Frequently asked questions
Does this affect OpenStack deployments that do not use TLS for RabbitMQ?
No, if TLS is not configured, the vulnerability does not apply. However, unencrypted RabbitMQ traffic exposes oslo.messaging communication to eavesdropping and tampering. All production deployments should use TLS regardless of this vulnerability.
Can I mitigate this without upgrading oslo.messaging immediately?
Partial mitigations include: strict network segmentation to isolate control-plane traffic, disabling RabbitMQ TLS if feasible (trading off this vulnerability for others), or restricting access to internal CA certificates. However, these are not substitutes for patching. Upgrade should be the primary remediation.
How can I verify if my deployment is vulnerable?
Check oslo.messaging version (run `pip show oslo.messaging` or consult your OpenStack package manifest). If version is 1.0.0 through 17.3.0 and `ssl_ca_file` is set in your RabbitMQ transport configuration, you are vulnerable. Test by inspecting oslo.messaging source code for hostname verification logic in the RabbitMQ driver, or contact your OpenStack vendor for vulnerability status.
What is the difference between this and a self-signed certificate attack?
Self-signed certificates have no CA chain to validate. This vulnerability exists precisely because the driver *does* validate the CA chain (when configured) but skips hostname verification. An attacker with a certificate signed by the target CA (but with the wrong hostname) will pass validation and enable MITM attacks.
This analysis is based on published vulnerability data and CVSS scoring as of the knowledge cutoff. Patch versions and vendor-specific remediation guidance must be verified against official OpenStack and oslo.messaging advisories. SEC.co does not provide or endorse exploit code or weaponized proof-of-concepts. Organizations should validate vulnerability applicability to their specific deployments and test patches in staging environments before production deployment. Risk scores and exploitability assessments reflect typical threat scenarios and may vary based on network architecture, segmentation, and controls in place. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-35563HIGHApache Directory LDAP API Hostname Verification Bypass
- CVE-2026-41859HIGHBOSH nats-sync SSL Certificate Validation Bypass – Credential Theft & Authorization Tampering
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25383HIGHFree MP3 CD Ripper 2.8 Stack Overflow – ROP and DEP Bypass Risk
- CVE-2018-25385HIGHUnauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10
- CVE-2018-25386HIGHSQL Injection in HaPe PKH 1.1 Admin Interface
- CVE-2018-25388HIGHHaPe PKH 1.1 Arbitrary File Upload Vulnerability (CVSS 8.8)
- CVE-2018-25389HIGHSQL Injection in HaPe PKH 1.1 Database Extraction