Description
The raw message of every server-side AuthenticationException is returned to the unauthenticated remote caller in the gRPC status description. This allows an attacker to obtain information about the authentication failure, which may be useful for further attacks.

Affected versions:
Spring gRPC: 1.0.0 - 1.0.2 (fixed in 1.0.3). Older, unsupported versions are also affected.
Published: 2026-04-28
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability permits every server‑side AuthenticationException message to be relayed back to an unauthenticated remote caller in the gRPC status description. This reveals information about the nature of the authentication failure, potentially aiding attackers in refining their attack vectors. The weakness aligns with CWE‑209, which relates to information exposure through error messages.

Affected Systems

Spring gRPC versions 1.0.0 through 1.0.2, as well as any older unsupported releases, are affected. The issue was fixed in version 1.0.3.

Risk and Exploitability

The CVSS score of 3.7 indicates a moderate severity, and no EPSS score is provided. The vulnerability is not listed in CISA KEV. Attackers can exploit it remotely by invoking gRPC methods without proper authentication, receiving detailed status descriptions that disclose failure reasons. The attack requires no special credentials and can be performed over any exposed gRPC endpoint.

Generated by OpenCVE AI on April 28, 2026 at 19:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Spring gRPC to version 1.0.3 or later to incorporate the fix.
  • If an upgrade is infeasible, reconfigure the gRPC server to suppress detailed exception messages for unauthenticated callers, returning a generic error status instead.
  • Audit authentication flows and logging to ensure no sensitive information is exposed via status messages or logs, and validate that the applied configuration does not leak credentials or internal state.

Generated by OpenCVE AI on April 28, 2026 at 19:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://spring.io/security/cve-2026-40969 cve-icon cve-icon
History

Thu, 30 Apr 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Vmware
Vmware spring Grpc
CPEs cpe:2.3:a:vmware:spring_grpc:*:*:*:*:*:*:*:*
Vendors & Products Vmware
Vmware spring Grpc

Wed, 29 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Spring
Spring spring
Vendors & Products Spring
Spring spring

Tue, 28 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description The raw message of every server-side AuthenticationException is returned to the unauthenticated remote caller in the gRPC status description. This allows an attacker to obtain information about the authentication failure, which may be useful for further attacks. Affected versions: Spring gRPC: 1.0.0 - 1.0.2 (fixed in 1.0.3). Older, unsupported versions are also affected.
Title Spring gRPC AuthenticationException message reflected to remote client
Weaknesses CWE-209
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Spring Spring
Vmware Spring Grpc
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-04-28T17:21:36.495Z

Reserved: 2026-04-16T02:18:56.133Z

Link: CVE-2026-40969

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-28T15:16:30.560

Modified: 2026-04-30T13:24:42.033

Link: CVE-2026-40969

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T10:00:09Z

Weaknesses