Spring gRPC 1.0.0-1.0.2 AuthEx Leakage via gRPC Status
CVE-2026-40969 Published on April 28, 2026
Spring gRPC AuthenticationException message reflected to remote client
The raw message of every server-side AuthenticationException is returned to the unauthenticated remote caller in the gRPC status description. This allows an attacker to obtain information about the authentication failure, which may be useful for further attacks.
Affected versions:
Spring gRPC: 1.0.0 - 1.0.2 (fixed in 1.0.3). Older, unsupported versions are also affected.
Vulnerability Analysis
CVE-2026-40969 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.
Weakness Type
Generation of Error Message Containing Sensitive Information
The software generates an error message that includes sensitive information about its environment, users, or associated data.
Products Associated with CVE-2026-40969
Want to know whenever a new CVE is published for VMware Spring Framework? stack.watch will email you.
Affected Versions
Spring gRPC:- Version 1.0.0 and below 1.0.3 is affected.