Spring gRPC CVE-2026-40969

| EUVD-2026-26064 LOW
Error Message Information Leak (CWE-209)
2026-04-28 [email protected]
Information Disclosure Java
3.7
CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
Apr 28, 2026 - 17:02 EUVD
Analysis Generated
Apr 28, 2026 - 15:30 vuln.today

DescriptionNVD

The raw message of every server-side AuthenticationException is returned to the unauthenticated remote caller in the gRPC status description. This allows an attacker to obtain information about the authentication failure, which may be useful for further attacks.

Affected versions: Spring gRPC: 1.0.0 - 1.0.2 (fixed in 1.0.3). Older, unsupported versions are also affected.

AnalysisAI

Spring gRPC versions 1.0.0 through 1.0.2 leak sensitive authentication failure details in gRPC status descriptions to unauthenticated remote callers, enabling reconnaissance for follow-up attacks. The vulnerability exposes raw server-side AuthenticationException messages without sanitization, providing attackers with information about authentication mechanisms and potential weaknesses. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-40969 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy