Description
In Micrometer, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.

Affected versions:
micrometer-core 1.16.0 through 1.16.5; 1.15.0 through 1.15.11; 1.14.0 through 1.14.15; 1.13.0 through 1.13.18; 1.9.0 through 1.9.17.
micrometer-jetty11 1.16.0 through 1.16.5; 1.15.0 through 1.15.11; 1.14.0 through 1.14.15; 1.13.0 through 1.13.18.
micrometer-jetty12 1.16.0 through 1.16.5; 1.15.0 through 1.15.11; 1.14.0 through 1.14.15; 1.13.0 through 1.13.18.
Published: 2026-06-09
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Micrometer, a popular Java library used in Spring for application monitoring, contains an input validation weakness that allows an attacker to send specially constructed HTTP requests. When processed, these requests consume excessive server resources and can exhaust the medium, leading to a denial of service that blocks legitimate traffic.

Affected Systems

The flaw is present in Spring Micrometer’s core and Jetty integrations. Affected versions include micrometer-core 1.9.0‑1.9.17, 1.13.0‑1.13.18, 1.14.0‑1.14.15, 1.15.0‑1.15.11, and 1.16.0‑1.16.5; and micrometer‑jetty11 and micrometer‑jetty12 in the same version ranges.

Risk and Exploitability

The CVSS score of 7.5 classifies this as a high‑severity vulnerability. The EPSS score of 0.00416 indicates a very low probability of exploitation. While the vulnerability is not listed in the CISA KEV catalog, its existence that exploitation could still occur, especially if the vulnerable middleware is exposed to the internet. The attack and unauthenticated; an attacker can trigger the denial of service by sending crafted HTTP requests to any Micrometer‑instrumented endpoint.

Generated by OpenCVE AI on June 26, 2026 at 02:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Micrometer to the latest available release, which removes the input validation flaw.
  • If a direct upgrade cannot be performed immediately, block or throttle requests targeting the Micrometer instrumentation endpoints to prevent resource exhaustion.
  • Continuously monitor logs for abnormal request patterns or application-level errors that may indicate attempts to exploit the vulnerability and consider temporarily disabling HTTP server instrumentation until a patch is applied.

Generated by OpenCVE AI on June 26, 2026 at 02:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
References
Metrics threat_severity

None

threat_severity

Important


Tue, 09 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 09 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Spring
Spring micrometer
Vendors & Products Spring
Spring micrometer

Tue, 09 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description In Micrometer, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Affected versions: micrometer-core 1.16.0 through 1.16.5; 1.15.0 through 1.15.11; 1.14.0 through 1.14.15; 1.13.0 through 1.13.18; 1.9.0 through 1.9.17. micrometer-jetty11 1.16.0 through 1.16.5; 1.15.0 through 1.15.11; 1.14.0 through 1.14.15; 1.13.0 through 1.13.18. micrometer-jetty12 1.16.0 through 1.16.5; 1.15.0 through 1.15.11; 1.14.0 through 1.14.15; 1.13.0 through 1.13.18.
Title Micrometer HTTP server instrumentations DoS vulnerability
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}


Subscriptions

Spring Micrometer
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-30T12:08:52.054Z

Reserved: 2026-04-16T02:19:09.388Z

Link: CVE-2026-40984

cve-icon Vulnrichment

Updated: 2026-06-09T13:49:59.796Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T05:16:34.780

Modified: 2026-06-09T13:49:39.993

Link: CVE-2026-40984

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-09T03:47:46Z

Links: CVE-2026-40984 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T02:15:15Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption

  • CWE-770

    Allocation of Resources Without Limits or Throttling