Description
In Micrometer, it is possible for a user to provide specially crafted gRPC requests that may cause a denial-of-service (DoS) condition.

Affected versions:
Micrometer 1.16.0 through 1.16.5; 1.15.0 through 1.15.11.
Published: 2026-06-09
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in Micrometer’s gRPC server instrumentation, where a crafted gRPC request can exhaust server resources and lead to a denial of service. This weakness is a classic example of unvalidated input misuse (CWE-400), allowing an attacker to trigger excessive load without executing arbitrary code or elevating privileges.

Affected Systems

Affected products include Spring:Micrometer version 1.15.0 through 1.15.11 and 1.16.0 through 1.16.5. Any deployment of these Micrometer releases is susceptible to the DoS condition described.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity for denial of service. The EPSS score of < 1% suggests a very low probability of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. The lack of an authentication requirement in the description implies a likely remote exploit surface. The vulnerability is a resource exhaustion weakness that can affect availability but does not grant code execution or privilege escalation.

Generated by OpenCVE AI on June 26, 2026 at 01:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Micrometer to version 1.17.0 or later to remove the vulnerability
  • If upgrading cannot be performed immediately, apply rate limiting or circuit breaking to the gRPC endpoints that route through Micrometer
  • Monitor application metrics for abnormal CPU or memory spikes associated with gRPC calls and trigger alerts if thresholds are exceeded
  • Restrict access to the vulnerable gRPC endpoints to trusted clients or network segments when feasible

Generated by OpenCVE AI on June 26, 2026 at 01:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
References
Metrics threat_severity

None

threat_severity

Important


Tue, 09 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 09 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Spring
Spring micrometer
Vendors & Products Spring
Spring micrometer

Tue, 09 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description In Micrometer, it is possible for a user to provide specially crafted gRPC requests that may cause a denial-of-service (DoS) condition. Affected versions: Micrometer 1.16.0 through 1.16.5; 1.15.0 through 1.15.11.
Title Micrometer gRPC server instrumentation DoS vulnerability
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}


Subscriptions

Spring Micrometer
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-30T12:08:52.336Z

Reserved: 2026-04-16T02:19:04.616Z

Link: CVE-2026-40983

cve-icon Vulnrichment

Updated: 2026-06-09T13:53:52.376Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T05:16:34.653

Modified: 2026-06-09T13:49:39.993

Link: CVE-2026-40983

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-09T03:46:54Z

Links: CVE-2026-40983 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T01:30:17Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption

  • CWE-770

    Allocation of Resources Without Limits or Throttling