CVE-2026-40984 PUBLISHED

Micrometer HTTP server instrumentations DoS vulnerability

Assigner: vmware
Reserved: 16.04.2026 Published: 09.06.2026 Updated: 09.06.2026

In Micrometer, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.

Affected versions: micrometer-core 1.16.0 through 1.16.5; 1.15.0 through 1.15.11; 1.14.0 through 1.14.15; 1.13.0 through 1.13.18; 1.9.0 through 1.9.17. micrometer-jetty11 1.16.0 through 1.16.5; 1.15.0 through 1.15.11; 1.14.0 through 1.14.15; 1.13.0 through 1.13.18. micrometer-jetty12 1.16.0 through 1.16.5; 1.15.0 through 1.15.11; 1.14.0 through 1.14.15; 1.13.0 through 1.13.18.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Score: 7.5

Product Status

Vendor Spring
Product Micrometer
Versions Default: unaffected
  • affected from 1.16.0 to 1.16.6 (excl.)
  • affected from 1.15.0 to 1.15.12 (excl.)
  • affected from 1.14.0 to 1.14.16 (excl.)
  • affected from 1.13.0 to 1.13.19 (excl.)
  • affected from 1.9.0 to 1.9.18 (excl.)
Vendor Spring
Product Micrometer
Versions Default: unaffected
  • affected from 1.16.0 to 1.16.6 (excl.)
  • affected from 1.15.0 to 1.15.12 (excl.)
  • affected from 1.14.0 to 1.14.16 (excl.)
  • affected from 1.13.0 to 1.13.19 (excl.)
Vendor Spring
Product Micrometer
Versions Default: unaffected
  • affected from 1.16.0 to 1.16.6 (excl.)
  • affected from 1.15.0 to 1.15.12 (excl.)
  • affected from 1.14.0 to 1.14.16 (excl.)
  • affected from 1.13.0 to 1.13.19 (excl.)

References

Problem Types

  • CWE-400: Uncontrolled Resource Consumption CWE

Impacts

  • An unauthenticated remote attacker can cause denial of service by sending specially crafted HTTP requests that trigger excessive resource consumption in applications using Micrometer HTTP server instrumentations.