Description
In Micrometer, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.

Affected versions:
micrometer-core 1.16.0 through 1.16.5; 1.15.0 through 1.15.11; 1.14.0 through 1.14.15; 1.13.0 through 1.13.18; 1.9.0 through 1.9.17.
micrometer-jetty11 1.16.0 through 1.16.5; 1.15.0 through 1.15.11; 1.14.0 through 1.14.15; 1.13.0 through 1.13.18.
micrometer-jetty12 1.16.0 through 1.16.5; 1.15.0 through 1.15.11; 1.14.0 through 1.14.15; 1.13.0 through 1.13.18.
Published: 2026-06-09
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Micrometer, a popular Java library used in Spring for application monitoring, contains an input validation weakness that allows an attacker to send specially constructed HTTP requests. When processed, these requests consume excessive server resources and can exhaust the medium, leading to a denial of service that blocks legitimate traffic.

Affected Systems

The flaw is present in Spring Micrometer’s core and Jetty integrations. Affected versions include micrometer-core 1.9.0‑1.9.17, 1.13.0‑1.13.18, 1.14.0‑1.14.15, 1.15.0‑1.15.11, and 1.16.0‑1.16.5; and micrometer‑jetty11 and micrometer‑jetty12 in the same version ranges.

Risk and Exploitability

The CVSS score of 7.5 classifies this as a high‑severity vulnerability. Although EPSS data is not available, the absence of a KEV listing suggests no known exploitation in the wild yet. The likely attack vector is remote and unauthenticated; an adversary can trigger the denial of service by sending crafted HTTP requests to any Micrometer‑instrumented endpoint.

Generated by OpenCVE AI on June 9, 2026 at 05:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Micrometer to the latest available release, which removes the input validation flaw.
  • If a direct upgrade cannot be performed immediately, block or throttle requests targeting the Micrometer instrumentation endpoints to prevent resource exhaustion.
  • Continuously monitor logs for abnormal request patterns or application-level errors that may indicate attempts to exploit the vulnerability and consider temporarily disabling HTTP server instrumentation until a patch is applied.

Generated by OpenCVE AI on June 9, 2026 at 05:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://spring.io/security/cve-2026-40984 cve-icon cve-icon
History

Tue, 09 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Spring
Spring micrometer
Vendors & Products Spring
Spring micrometer

Tue, 09 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description In Micrometer, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Affected versions: micrometer-core 1.16.0 through 1.16.5; 1.15.0 through 1.15.11; 1.14.0 through 1.14.15; 1.13.0 through 1.13.18; 1.9.0 through 1.9.17. micrometer-jetty11 1.16.0 through 1.16.5; 1.15.0 through 1.15.11; 1.14.0 through 1.14.15; 1.13.0 through 1.13.18. micrometer-jetty12 1.16.0 through 1.16.5; 1.15.0 through 1.15.11; 1.14.0 through 1.14.15; 1.13.0 through 1.13.18.
Title Micrometer HTTP server instrumentations DoS vulnerability
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Spring Micrometer
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-09T13:50:04.966Z

Reserved: 2026-04-16T02:19:09.388Z

Link: CVE-2026-40984

cve-icon Vulnrichment

Updated: 2026-06-09T13:49:59.796Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T05:16:34.780

Modified: 2026-06-09T13:49:39.993

Link: CVE-2026-40984

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T08:55:51Z

Weaknesses