{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40968", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2026-04-16T02:18:56.133Z", "datePublished": "2026-04-28T13:42:35.525Z", "dateUpdated": "2026-04-28T14:36:35.953Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-04-28T13:42:35.525Z"}, "title": "Spring gRPC SecurityContext leaks across requests on authorization failure", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-653", "description": "CWE-653: Improper Isolation or Compartmentalization", "type": "CWE"}]}], "impacts": [{"descriptions": [{"lang": "en", "value": "A subsequent request on the same gRPC worker thread may inherit a prior user\u2019s authenticated identity after an authorization failure, enabling privilege escalation (CVSS v3.1: low confidentiality and integrity impact)."}]}], "affected": [{"vendor": "Spring", "product": "Spring gRPC", "versions": [{"status": "affected", "version": "1.0.0", "lessThan": "1.0.3", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "When an authenticated user is denied access to a gRPC method, their authenticated identity remains bound to the gRPC worker thread and can be inherited by a subsequent unauthenticated request on the same thread. This may allow the subsequent user to gain escalated permissions.\n\nAffected versions:\nSpring gRPC: 1.0.0 - 1.0.2 (fixed in 1.0.3). Older, unsupported versions are also affected.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "When an authenticated user is denied access to a gRPC method, their authenticated identity remains bound to the gRPC worker thread and can be inherited by a subsequent unauthenticated request on the same thread. This may allow the subsequent user to gain escalated permissions.<br><br>Affected versions:<br>Spring gRPC: 1.0.0 - 1.0.2 (fixed in 1.0.3). Older, unsupported versions are also affected."}]}], "references": [{"url": "https://spring.io/security/cve-2026-40968"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"}}], "source": {"discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-28T14:36:11.607363Z", "id": "CVE-2026-40968", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:36:35.953Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40968", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2026-04-16T02:18:56.133Z", "datePublished": "2026-04-28T13:42:35.525Z", "dateUpdated": "2026-04-28T14:36:35.953Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-04-28T13:42:35.525Z"}, "title": "Spring gRPC SecurityContext leaks across requests on authorization failure", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-653", "description": "CWE-653: Improper Isolation or Compartmentalization", "type": "CWE"}]}], "impacts": [{"descriptions": [{"lang": "en", "value": "A subsequent request on the same gRPC worker thread may inherit a prior user\u2019s authenticated identity after an authorization failure, enabling privilege escalation (CVSS v3.1: low confidentiality and integrity impact)."}]}], "affected": [{"vendor": "Spring", "product": "Spring gRPC", "versions": [{"status": "affected", "version": "1.0.0", "lessThan": "1.0.3", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "When an authenticated user is denied access to a gRPC method, their authenticated identity remains bound to the gRPC worker thread and can be inherited by a subsequent unauthenticated request on the same thread. This may allow the subsequent user to gain escalated permissions.\n\nAffected versions:\nSpring gRPC: 1.0.0 - 1.0.2 (fixed in 1.0.3). Older, unsupported versions are also affected.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "When an authenticated user is denied access to a gRPC method, their authenticated identity remains bound to the gRPC worker thread and can be inherited by a subsequent unauthenticated request on the same thread. This may allow the subsequent user to gain escalated permissions.<br><br>Affected versions:<br>Spring gRPC: 1.0.0 - 1.0.2 (fixed in 1.0.3). Older, unsupported versions are also affected."}]}], "references": [{"url": "https://spring.io/security/cve-2026-40968"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"}}], "source": {"discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40968", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-28T14:36:11.607363Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:36:28.833Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "When an authenticated user is denied access to a gRPC method, their authenticated identity remains bound to the gRPC worker thread and can be inherited by a subsequent unauthenticated request on the same thread. This may allow the subsequent user to gain escalated permissions.\n\nAffected versions:\nSpring gRPC: 1.0.0 - 1.0.2 (fixed in 1.0.3). Older, unsupported versions are also affected."}], "id": "CVE-2026-40968", "lastModified": "2026-04-28T20:10:59.913", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 2.5, "source": "security@vmware.com", "type": "Secondary"}]}, "published": "2026-04-28T15:16:30.400", "references": [{"source": "security@vmware.com", "url": "https://spring.io/security/cve-2026-40968"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-653"}], "source": "security@vmware.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T23:18:22.692923+00:00", "value": {"mitigation_remediation": ["Upgrade to Spring gRPC 1.0.3 or newer to receive the security fix.", "Configure the application to use a dedicated thread pool for gRPC so that stateful context is not reused across requests.", "If upgrading cannot happen immediately, add a filter or interceptor that clears the SecurityContext after a failed authorization to prevent context leakage."], "summary": {"action": "Patch Immediately", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The Spring gRPC library version 1.0.0 through 1.0.2 is affected. The vulnerability was fixed in 1.0.3, and older unsupported releases are also vulnerable.", "description_and_impact": "When an authenticated user is denied access to a gRPC method, the user\u2019s credential remains bound to the worker thread handling the request. If a later request is processed on the same thread without authenticating, the original identity can be inherited, potentially giving the new caller elevated privileges. This flaw is a practical example of a context\u2011leak exploitation that can elevate an attacker\u2019s authority within the same application.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity, and the vulnerability is not listed in the CISA KEV catalog, so there are no publicly known exploits at this time. The compromise depends on a request sequence that occurs on the same worker thread; thus, an attacker would need to influence thread usage or trigger a chain of requests within the same service. While the threat is generally internal, the ability to inherit an authenticated context motivates timely remediation."}}}}, "created": "2026-04-28T23:30:06.094390+00:00", "updated": "2026-04-28T23:30:06.094412+00:00", "vendors": []}