CVE-2026-40969 LOW

CVE-2026-40969: Spring gRPC AuthenticationException message reflected to remote client

Vendor Spring
Product Spring gRPC
Weakness CWE-209 · Error message info leak
Published April 28, 2026
Last update April 28, 2026

CVSS base score

3.7/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

The raw message of every server-side AuthenticationException is returned to the unauthenticated remote caller in the gRPC status description. This allows an attacker to obtain information about the authentication failure, which may be useful for further attacks. Affected versions: Spring gRPC: 1.0.0 - 1.0.2 (fixed in 1.0.3). Older, unsupported versions are also affected.

Key dates

02Disclosure timeline

April 28, 2026 CVE published
April 28, 2026 Record updated