CVE-2026-40983 PUBLISHED

Micrometer gRPC server instrumentation DoS vulnerability

Assigner: vmware
Reserved: 16.04.2026 Published: 09.06.2026 Updated: 09.06.2026

In Micrometer, it is possible for a user to provide specially crafted gRPC requests that may cause a denial-of-service (DoS) condition.

Affected versions: Micrometer 1.16.0 through 1.16.5; 1.15.0 through 1.15.11.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Score: 7.5

Product Status

Vendor Spring
Product Micrometer
Versions Default: unaffected
  • affected from 1.16.0 to 1.16.6 (excl.)
  • affected from 1.15.0 to 1.15.12 (excl.)

References

Problem Types

  • CWE-400: Uncontrolled Resource Consumption CWE

Impacts

  • An unauthenticated remote attacker can cause denial of service by sending specially crafted gRPC requests that trigger excessive resource consumption in applications using Micrometer's ObservationGrpcServerInterceptor.