CVE-2026-40969

LOW

Spring gRPC AuthenticationException message reflected to remote client

Title source: cna

Description

The raw message of every server-side AuthenticationException is returned to the unauthenticated remote caller in the gRPC status description. This allows an attacker to obtain information about the authentication failure, which may be useful for further attacks. Affected versions: Spring gRPC: 1.0.0 - 1.0.2 (fixed in 1.0.3). Older, unsupported versions are also affected.

References (1)

https://spring.io/security/cve-2026-40969

Scores

CVSS v3 3.7

EPSS 0.0006

EPSS Percentile 17.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-209

Status published

Products (1)

Spring/Spring gRPC 1.0.0 - 1.0.3

Published Apr 28, 2026

Tracked Since Apr 28, 2026