CVE-2026-40968: Spring gRPC SecurityContext leaks across requests on authorization failure

Q: What is the severity of CVE-2026-40968?

CVE-2026-40968 has a medium severity rating due to the potential for unauthorized access via thread context leakage.

Q: How do I fix CVE-2026-40968?

To fix CVE-2026-40968, upgrade to Spring gRPC version 1.0.4 or later.

Q: What types of applications are affected by CVE-2026-40968?

CVE-2026-40968 affects applications using Spring gRPC versions prior to 1.0.4 that employ authorization for gRPC methods.

Q: What is the impact of CVE-2026-40968?

The impact of CVE-2026-40968 includes potential unauthorized access where an authenticated user's identity may be inherited by unauthenticated requests.

Q: Who is responsible for the vulnerability CVE-2026-40968?

The responsibility for addressing CVE-2026-40968 lies with the developers and users of the Spring gRPC framework.

Published Apr 28, 2026

Updated

When an authenticated user is denied access to a gRPC method, their authenticated identity remains bound to the gRPC worker thread and can be inherited by a subsequent unauthenticated request on the same thread. This may allow the subsequent user to gain escalated permissions. Affected versions: Spring gRPC: 1.0.0 - 1.0.2 (fixed in 1.0.3). Older, unsupported versions are also affected.

Affected Software

2 affected components

Spring Spring gRPC<1.0.3

VMware Spring Grpc<1.0.3

Event History

Apr 28, 2026

CVE Published

via MITRE·01:42 PM

Data Sourced

via MITRE·01:42 PM

DescriptionSeverityWeakness

Data Sourced

via NVD·03:16 PM

DescriptionSeverityWeaknessAffected Software

Frequently Asked Questions

What is the severity of CVE-2026-40968?

CVE-2026-40968 has a medium severity rating due to the potential for unauthorized access via thread context leakage.

How do I fix CVE-2026-40968?

To fix CVE-2026-40968, upgrade to Spring gRPC version 1.0.4 or later.

What types of applications are affected by CVE-2026-40968?

CVE-2026-40968 affects applications using Spring gRPC versions prior to 1.0.4 that employ authorization for gRPC methods.

What is the impact of CVE-2026-40968?

The impact of CVE-2026-40968 includes potential unauthorized access where an authenticated user's identity may be inherited by unauthenticated requests.

Who is responsible for the vulnerability CVE-2026-40968?

The responsibility for addressing CVE-2026-40968 lies with the developers and users of the Spring gRPC framework.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.