CVE-2026-40983

Vulnerability

In Micrometer, applications using specific versions of io.micrometer:micrometer-core (1.16.0 through 1.16.5 and 1.15.0 through 1.15.11) are vulnerable if an ObservationRegistry is configured, DefaultMeterObservationHandler is used for metrics output, and ObservationGrpcServerInterceptor is employed to instrument the gRPC server. Specially crafted gRPC requests can trigger a denial-of-service condition [1].

Exploitation

An unauthenticated attacker with network access can send specially crafted gRPC requests to an instrumented gRPC server. If the server is configured with the vulnerable Micrometer versions and specific observation handlers, these requests can lead to a denial-of-service condition. No user interaction is required [1].

Impact

Successful exploitation of this vulnerability can lead to a denial-of-service (DoS) condition, making the gRPC server unavailable to legitimate users. This impacts the availability of the application's services [1].

Mitigation

Users should upgrade to Micrometer version 1.16.6 or 1.15.12. Older versions prior to 1.15.0 are not affected. No further mitigation steps are necessary beyond upgrading [1].