{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40969", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2026-04-16T02:18:56.133Z", "datePublished": "2026-04-28T14:54:07.360Z", "dateUpdated": "2026-04-28T17:21:36.495Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-04-28T14:54:07.360Z"}, "title": "Spring gRPC AuthenticationException message reflected to remote client", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-209", "description": "CWE-209: Generation of Error Message Containing Sensitive Information", "type": "CWE"}]}], "impacts": [{"descriptions": [{"lang": "en", "value": "Unauthenticated callers can read server-side AuthenticationException messages via gRPC status descriptions, leaking information useful for further attacks (CVSS v3.1: low confidentiality impact)."}]}], "affected": [{"vendor": "Spring", "product": "Spring gRPC", "versions": [{"status": "affected", "version": "1.0.0", "lessThan": "1.0.3", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The raw message of every server-side AuthenticationException is returned to the unauthenticated remote caller in the gRPC status description. This allows an attacker to obtain information about the authentication failure, which may be useful for further attacks.\n\nAffected versions:\nSpring gRPC: 1.0.0 - 1.0.2 (fixed in 1.0.3). Older, unsupported versions are also affected.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "The raw message of every server-side AuthenticationException is returned to the unauthenticated remote caller in the gRPC status description. This allows an attacker to obtain information about the authentication failure, which may be useful for further attacks.<br><br>Affected versions:<br>Spring gRPC: 1.0.0 - 1.0.2 (fixed in 1.0.3). Older, unsupported versions are also affected."}]}], "references": [{"url": "https://spring.io/security/cve-2026-40969"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseSeverity": "LOW", "baseScore": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "source": {"discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-28T17:21:24.098415Z", "id": "CVE-2026-40969", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T17:21:36.495Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The raw message of every server-side AuthenticationException is returned to the unauthenticated remote caller in the gRPC status description. This allows an attacker to obtain information about the authentication failure, which may be useful for further attacks.\n\nAffected versions:\nSpring gRPC: 1.0.0 - 1.0.2 (fixed in 1.0.3). Older, unsupported versions are also affected."}], "id": "CVE-2026-40969", "lastModified": "2026-04-28T20:10:59.913", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "security@vmware.com", "type": "Secondary"}]}, "published": "2026-04-28T15:16:30.560", "references": [{"source": "security@vmware.com", "url": "https://spring.io/security/cve-2026-40969"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-209"}], "source": "security@vmware.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T19:13:01.548176+00:00", "value": {"mitigation_remediation": ["Upgrade Spring gRPC to version 1.0.3 or later to incorporate the fix.", "If an upgrade is infeasible, reconfigure the gRPC server to suppress detailed exception messages for unauthenticated callers, returning a generic error status instead.", "Audit authentication flows and logging to ensure no sensitive information is exposed via status messages or logs, and validate that the applied configuration does not leak credentials or internal state."], "summary": {"action": "Patch Upgrade", "impact": "Information disclosure of authentication failure details"}, "threat_synthesis": {"affected_systems": "Spring gRPC versions 1.0.0 through 1.0.2, as well as any older unsupported releases, are affected. The issue was fixed in version 1.0.3.", "description_and_impact": "The vulnerability permits every server\u2011side AuthenticationException message to be relayed back to an unauthenticated remote caller in the gRPC status description. This reveals information about the nature of the authentication failure, potentially aiding attackers in refining their attack vectors. The weakness aligns with CWE\u2011209, which relates to information exposure through error messages.", "risk_and_exploitability": "The CVSS score of 3.7 indicates a moderate severity, and no EPSS score is provided. The vulnerability is not listed in CISA KEV. Attackers can exploit it remotely by invoking gRPC methods without proper authentication, receiving detailed status descriptions that disclose failure reasons. The attack requires no special credentials and can be performed over any exposed gRPC endpoint."}}}}, "created": "2026-04-28T19:15:25.435134+00:00", "updated": "2026-04-28T19:15:25.435163+00:00", "vendors": []}