CVE-2026-40968
Authentication Context Leakage in Spring gRPC Allows Privilege Escalation
Publication date: 2026-04-28
Last updated on: 2026-04-30
Assigner: VMware
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vmware | spring_grpc | to 1.0.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-653 | The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40968 is a medium-severity security vulnerability in Spring gRPC versions 1.0.0 through 1.0.2 and older unsupported versions.
The issue occurs when an authenticated user is denied access to a gRPC method, but their authenticated identity remains bound to the gRPC worker thread.
This identity can then be inherited by a subsequent unauthenticated request processed on the same thread, potentially allowing that subsequent user to gain escalated permissions.
In other words, the security context leaks across requests on authorization failure, leading to unauthorized privilege escalation.
How can this vulnerability impact me? :
This vulnerability can allow an unauthenticated user to inherit the identity of a previously authenticated user on the same gRPC worker thread.
As a result, the unauthenticated user may gain escalated permissions that they should not have, potentially accessing restricted resources or performing unauthorized actions.
The impact includes low confidentiality and integrity loss but no impact on availability, according to the CVSS score.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade affected Spring gRPC versions from 1.0.0 through 1.0.2 to version 1.0.3, where the issue is fixed.
No additional mitigation steps are necessary beyond this upgrade.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an authenticated identity to be improperly retained and inherited by subsequent unauthenticated requests, potentially leading to unauthorized privilege escalation.
Such unauthorized access and privilege escalation could result in unauthorized disclosure or modification of sensitive data, which may impact compliance with data protection standards and regulations like GDPR and HIPAA that require strict access controls and protection of personal and health information.
Mitigating this vulnerability by upgrading to Spring gRPC version 1.0.3 is necessary to maintain compliance and reduce the risk of unauthorized data access.