JVM Framework Vulnerability in Micronaut Leading to Remote DoS Attacks
CVE-2026-33013

8.2HIGH

Key Information:

Vendor

Micronaut-projects

Status
Micronaut-core
Vendor
CVE Published:
20 March 2026

What is CVE-2026-33013?

The Micronaut Framework, a robust JVM-based full stack Java framework for modular application development, possesses a vulnerability in its handling of form-urlencoded body binding. Specifically, prior versions to 4.10.16 and 3.10.5 inadequately manage the descending order of array indices during the process, resulting in potential denial-of-service conditions. Attackers can exploit this flaw using crafted indexed form parameters, leading to non-terminating loops, excessive CPU usage, and ultimately, OutOfMemoryErrors. Mitigations have been implemented in the latest releases to prevent such exploits.

Affected Version(s)

micronaut-core >= 4.0.0-M1, < 4.10.16 < 4.0.0-M1, 4.10.16

micronaut-core < 3.10.5 < 3.10.5

References

https://github.com/micronaut-projects/micronaut-core/secu...
x_refsource_CONFIRM
https://github.com/micronaut-projects/micronaut-core/pull...
x_refsource_MISC
https://github.com/micronaut-projects/micronaut-core/comm...
x_refsource_MISC

CVSS V4

Score:
8.2
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.