Executive Summary

CVE-2026-40983 is a denial-of-service (DoS) vulnerability in Micrometer's gRPC server instrumentation. It occurs when a user sends specially crafted gRPC requests to an application using a vulnerable version of Micrometer (versions 1.15.0 to 1.15.11 and 1.16.0 to 1.16.5). The vulnerability affects applications that use an ObservationRegistry, have a DefaultMeterObservationHandler or a similar custom ObservationHandler for metrics output, and employ ObservationGrpcServerInterceptor for gRPC server instrumentation.

This specially crafted request can cause the application to enter a denial-of-service state, making it unavailable to legitimate users.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause a denial-of-service (DoS) condition in applications using vulnerable versions of Micrometer with gRPC server instrumentation. An attacker can send crafted gRPC requests that disrupt the normal operation of the application, potentially making it unavailable to legitimate users.

The impact is primarily availability-related, as indicated by the CVSS score which rates the impact on availability as high, while confidentiality and integrity are not affected.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate the CVE-2026-40983 vulnerability, you should upgrade Micrometer to the fixed versions.

• Upgrade to version 1.15.12 if you are using the 1.15.x branch.
• Upgrade to version 1.16.6 if you are using the 1.16.x branch.

No additional mitigation steps are required beyond upgrading to these fixed versions.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify any direct impact of this denial-of-service (DoS) vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0