Description
When an authenticated user is denied access to a gRPC method, their authenticated identity remains bound to the gRPC worker thread and can be inherited by a subsequent unauthenticated request on the same thread. This may allow the subsequent user to gain escalated permissions.

Affected versions:
Spring gRPC: 1.0.0 - 1.0.2 (fixed in 1.0.3). Older, unsupported versions are also affected.
Published: 2026-04-28
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

When an authenticated user is denied access to a gRPC method, the user’s credential remains bound to the worker thread handling the request. If a later request is processed on the same thread without authenticating, the original identity can be inherited, potentially giving the new caller elevated privileges. This flaw is a practical example of a context‑leak exploitation that can elevate an attacker’s authority within the same application.

Affected Systems

The Spring gRPC library version 1.0.0 through 1.0.2 is affected. The vulnerability was fixed in 1.0.3, and older unsupported releases are also vulnerable.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, and the vulnerability is not listed in the CISA KEV catalog, so there are no publicly known exploits at this time. The compromise depends on a request sequence that occurs on the same worker thread; thus, an attacker would need to influence thread usage or trigger a chain of requests within the same service. While the threat is generally internal, the ability to inherit an authenticated context motivates timely remediation.

Generated by OpenCVE AI on April 28, 2026 at 23:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Spring gRPC 1.0.3 or newer to receive the security fix.
  • Configure the application to use a dedicated thread pool for gRPC so that stateful context is not reused across requests.
  • If upgrading cannot happen immediately, add a filter or interceptor that clears the SecurityContext after a failed authorization to prevent context leakage.

Generated by OpenCVE AI on April 28, 2026 at 23:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://spring.io/security/cve-2026-40968 cve-icon cve-icon
History

Thu, 30 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Vmware
Vmware spring Grpc
CPEs cpe:2.3:a:vmware:spring_grpc:*:*:*:*:*:*:*:*
Vendors & Products Vmware
Vmware spring Grpc

Wed, 29 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Spring
Spring spring
Vendors & Products Spring
Spring spring

Tue, 28 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 28 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description When an authenticated user is denied access to a gRPC method, their authenticated identity remains bound to the gRPC worker thread and can be inherited by a subsequent unauthenticated request on the same thread. This may allow the subsequent user to gain escalated permissions. Affected versions: Spring gRPC: 1.0.0 - 1.0.2 (fixed in 1.0.3). Older, unsupported versions are also affected.
Title Spring gRPC SecurityContext leaks across requests on authorization failure
Weaknesses CWE-653
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Spring Spring
Vmware Spring Grpc
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-04-28T14:36:35.953Z

Reserved: 2026-04-16T02:18:56.133Z

Link: CVE-2026-40968

cve-icon Vulnrichment

Updated: 2026-04-28T14:36:28.833Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-28T15:16:30.400

Modified: 2026-04-30T13:32:58.017

Link: CVE-2026-40968

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T10:00:09Z

Weaknesses