Low severity3.7NVD Advisory· Published Apr 28, 2026· Updated Apr 30, 2026

CVE-2026-40969

Description

The raw message of every server-side AuthenticationException is returned to the unauthenticated remote caller in the gRPC status description. This allows an attacker to obtain information about the authentication failure, which may be useful for further attacks.

Affected versions: Spring gRPC: 1.0.0 - 1.0.2 (fixed in 1.0.3). Older, unsupported versions are also affected.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.springframework.grpc:spring-grpcMaven	< 1.0.3	1.0.3

Affected products

VMware/Spring Grpc
cpe:2.3:a:vmware:spring_grpc:*:*:*:*:*:*:*:*
Range: <1.0.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-37w2-q6vh-45v6ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-40969ghsaADVISORY
spring.io/security/cve-2026-40969nvdVendor AdvisoryWEB

News mentions

No linked articles in our index yet.

cvss	0.240
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000