Unbounded Heap Growth Vulnerability in Micronaut Framework
CVE-2026-33012

7.5HIGH

Key Information:

Vendor

Micronaut-projects

Status
Micronaut-core
Vendor
CVE Published:
20 March 2026

What is CVE-2026-33012?

The Micronaut Framework versions 4.7.0 through 4.10.16 have a vulnerability in their DefaultHtmlErrorResponseBodyProvider, resulting from the use of an unbounded ConcurrentHashMap cache without an eviction policy. When exceptions with messages influenced by user input occur, this problem can lead to unbounded heap growth and potential OutOfMemoryError. This vulnerability can be exploited by remote attackers to cause a denial of service to the application. Users are advised to update to version 4.10.7 or newer to mitigate this risk.

Affected Version(s)

micronaut-core >= 4.7.0, < 4.10.17

References

https://github.com/micronaut-projects/micronaut-core/secu...
x_refsource_CONFIRM
https://github.com/micronaut-projects/micronaut-core/comm...
x_refsource_MISC
https://github.com/micronaut-projects/micronaut-core/rele...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.