Description
In Micrometer, it is possible for a user to provide specially crafted gRPC requests that may cause a denial-of-service (DoS) condition.

Affected versions:
Micrometer 1.16.0 through 1.16.5; 1.15.0 through 1.15.11.
Published: 2026-06-09
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in Micrometer’s gRPC server instrumentation, where a crafted gRPC request can exhaust server resources and lead to a denial of service. This weakness is a classic example of unvalidated input misuse (CWE-400), allowing an attacker to trigger excessive load without executing arbitrary code or elevating privileges.

Affected Systems

Affected products include Spring:Micrometer version 1.15.0 through 1.15.11 and 1.16.0 through 1.16.5. Any deployment of these Micrometer releases is susceptible to the DoS condition described.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity for denial of service. The EPSS score is not available, but the lack of authentication requirement in the description suggests a likely remote exploit surface. The vulnerability is not listed in the CISA KEV catalog, yet its impact on availability warrants urgent remediation.

Generated by OpenCVE AI on June 9, 2026 at 05:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Micrometer to version 1.17.0 or later to remove the vulnerability
  • If upgrading cannot be performed immediately, apply rate limiting or circuit breaking to the gRPC endpoints that route through Micrometer
  • Monitor application metrics for abnormal CPU or memory spikes associated with gRPC calls and trigger alerts if thresholds are exceeded
  • Restrict access to the vulnerable gRPC endpoints to trusted clients or network segments when feasible

Generated by OpenCVE AI on June 9, 2026 at 05:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://spring.io/security/cve-2026-40983 cve-icon cve-icon
History

Tue, 09 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Spring
Spring micrometer
Vendors & Products Spring
Spring micrometer

Tue, 09 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description In Micrometer, it is possible for a user to provide specially crafted gRPC requests that may cause a denial-of-service (DoS) condition. Affected versions: Micrometer 1.16.0 through 1.16.5; 1.15.0 through 1.15.11.
Title Micrometer gRPC server instrumentation DoS vulnerability
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Spring Micrometer
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-09T13:54:04.441Z

Reserved: 2026-04-16T02:19:04.616Z

Link: CVE-2026-40983

cve-icon Vulnrichment

Updated: 2026-06-09T13:53:52.376Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T05:16:34.653

Modified: 2026-06-09T13:49:39.993

Link: CVE-2026-40983

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T08:55:52Z

Weaknesses