Server-side Information Disclosure in Spring gRPC by Pivotal Software
CVE-2026-40969

3.7LOW

Key Information:

Vendor: Spring
Status: Spring Grpc
Vendor: CVE Published:; 28 April 2026

What is CVE-2026-40969?

A vulnerability exists in Spring gRPC where the raw message of each server-side AuthenticationException is exposed to unauthenticated remote callers in the gRPC status description. This leak of sensitive authentication failure information could empower attackers to exploit the error messages, potentially enabling them to execute further attacks against the application. Users are strongly advised to upgrade to version 1.0.3 or later to remediate this issue.

Affected Version(s)

Spring gRPC 1.0.0 < 1.0.3

References

https://spring.io/security/cve-2026-40969

CVSS V3.1

Score:

3.7

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 28, 2026
Vulnerability Reserved
Apr 16, 2026

CVE-2026-40969 Data

JSON