CVE-2026-40968
Received Received - Intake
Authentication Context Leakage in Spring gRPC Allows Privilege Escalation

Publication date: 2026-04-28

Last updated on: 2026-04-30

Assigner: VMware

Description
When an authenticated user is denied access to a gRPC method, their authenticated identity remains bound to the gRPC worker thread and can be inherited by a subsequent unauthenticated request on the same thread. This may allow the subsequent user to gain escalated permissions. Affected versions: Spring gRPC: 1.0.0 - 1.0.2 (fixed in 1.0.3). Older, unsupported versions are also affected.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-28
Last Modified
2026-04-30
Generated
2026-06-16
AI Q&A
2026-04-28
EPSS Evaluated
2026-06-14
NVD
CVE-2026-40968
EUVD
EUVD-2026-26054
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vmware spring_grpc to 1.0.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-653 The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-40968 is a medium-severity security vulnerability in Spring gRPC versions 1.0.0 through 1.0.2 and older unsupported versions.

The issue occurs when an authenticated user is denied access to a gRPC method, but their authenticated identity remains bound to the gRPC worker thread.

This identity can then be inherited by a subsequent unauthenticated request processed on the same thread, potentially allowing that subsequent user to gain escalated permissions.

In other words, the security context leaks across requests on authorization failure, leading to unauthorized privilege escalation.

Impact Analysis

This vulnerability can allow an unauthenticated user to inherit the identity of a previously authenticated user on the same gRPC worker thread.

As a result, the unauthenticated user may gain escalated permissions that they should not have, potentially accessing restricted resources or performing unauthorized actions.

The impact includes low confidentiality and integrity loss but no impact on availability, according to the CVSS score.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade affected Spring gRPC versions from 1.0.0 through 1.0.2 to version 1.0.3, where the issue is fixed.

No additional mitigation steps are necessary beyond this upgrade.

Compliance Impact

This vulnerability allows an authenticated identity to be improperly retained and inherited by subsequent unauthenticated requests, potentially leading to unauthorized privilege escalation.

Such unauthorized access and privilege escalation could result in unauthorized disclosure or modification of sensitive data, which may impact compliance with data protection standards and regulations like GDPR and HIPAA that require strict access controls and protection of personal and health information.

Mitigating this vulnerability by upgrading to Spring gRPC version 1.0.3 is necessary to maintain compliance and reduce the risk of unauthorized data access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40968. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart