CVE-2026-40969
Received Received - Intake
Information Disclosure via AuthenticationException in Spring gRPC 1.0.x

Publication date: 2026-04-28

Last updated on: 2026-04-30

Assigner: VMware

Description
The raw message of every server-side AuthenticationException is returned to the unauthenticated remote caller in the gRPC status description. This allows an attacker to obtain information about the authentication failure, which may be useful for further attacks. Affected versions: Spring gRPC: 1.0.0 - 1.0.2 (fixed in 1.0.3). Older, unsupported versions are also affected.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-28
Last Modified
2026-04-30
Generated
2026-05-06
AI Q&A
2026-04-28
EPSS Evaluated
2026-05-05
NVD
CVE-2026-40969
EUVD
EUVD-2026-26064
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vmware spring_grpc to 1.0.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-209 The product generates an error message that includes sensitive information about its environment, users, or associated data.
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :

The vulnerability can impact you by leaking sensitive information about authentication failures to unauthenticated remote attackers.

This information disclosure can aid attackers in understanding the authentication mechanisms and potentially help them bypass security controls or launch more targeted attacks.

However, the severity of this issue is considered low.


What immediate steps should I take to mitigate this vulnerability?

The recommended immediate step to mitigate this vulnerability is to upgrade affected Spring gRPC versions from 1.0.0 through 1.0.2 to version 1.0.3, which contains the fix.

No additional mitigation steps are necessary beyond upgrading.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.


Can you explain this vulnerability to me?

CVE-2026-40969 is a vulnerability in Spring gRPC versions 1.0.0 through 1.0.2 where the raw message of every server-side AuthenticationException is returned to the unauthenticated remote client within the gRPC status description.

This means that when an authentication failure occurs, detailed error information is exposed to anyone trying to connect without proper authentication.

An attacker can use this information to understand why authentication failed, which may help them in crafting further attacks.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart