CVE-2026-40969: CWE-209: Generation of Error Message Containing Sensitive Information in Spring Spring gRPC
CVE-2026-40969 is a vulnerability in Spring gRPC versions 1. 0. 0 through 1. 0. 2 where server-side AuthenticationException messages are returned verbatim to unauthenticated remote callers. This behavior leaks sensitive information about authentication failures, potentially aiding attackers in further attacks. The issue is fixed in version 1. 0. 3. The vulnerability has a low severity score of 3.
AI Analysis
Technical Summary
Spring gRPC versions 1.0.0 to 1.0.2 expose the raw message of server-side AuthenticationException errors in the gRPC status description sent to unauthenticated remote callers. This information disclosure (CWE-209) can reveal details about authentication failures, which may help attackers refine their attack strategies. The vulnerability is resolved in version 1.0.3. No known exploits are reported in the wild. The CVSS v3.1 score is 3.7 (low), reflecting network attack vector, high attack complexity, no privileges required, no user interaction, and limited confidentiality impact.
Potential Impact
The vulnerability allows an attacker to obtain sensitive information from error messages related to authentication failures. This information disclosure is limited to confidentiality and does not affect integrity or availability. While the impact is low, the leaked information could assist attackers in crafting further attacks against the authentication mechanism.
Mitigation Recommendations
Upgrade Spring gRPC to version 1.0.3 or later, where this vulnerability is fixed. Since the vendor advisory does not provide additional remediation details, applying this official fix is the recommended action. No other mitigations or temporary fixes are indicated.
CVE-2026-40969: CWE-209: Generation of Error Message Containing Sensitive Information in Spring Spring gRPC
Description
CVE-2026-40969 is a vulnerability in Spring gRPC versions 1. 0. 0 through 1. 0. 2 where server-side AuthenticationException messages are returned verbatim to unauthenticated remote callers. This behavior leaks sensitive information about authentication failures, potentially aiding attackers in further attacks. The issue is fixed in version 1. 0. 3. The vulnerability has a low severity score of 3.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Spring gRPC versions 1.0.0 to 1.0.2 expose the raw message of server-side AuthenticationException errors in the gRPC status description sent to unauthenticated remote callers. This information disclosure (CWE-209) can reveal details about authentication failures, which may help attackers refine their attack strategies. The vulnerability is resolved in version 1.0.3. No known exploits are reported in the wild. The CVSS v3.1 score is 3.7 (low), reflecting network attack vector, high attack complexity, no privileges required, no user interaction, and limited confidentiality impact.
Potential Impact
The vulnerability allows an attacker to obtain sensitive information from error messages related to authentication failures. This information disclosure is limited to confidentiality and does not affect integrity or availability. While the impact is low, the leaked information could assist attackers in crafting further attacks against the authentication mechanism.
Mitigation Recommendations
Upgrade Spring gRPC to version 1.0.3 or later, where this vulnerability is fixed. Since the vendor advisory does not provide additional remediation details, applying this official fix is the recommended action. No other mitigations or temporary fixes are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- vmware
- Date Reserved
- 2026-04-16T02:18:56.133Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69f0d09ecbff5d86102a30d4
Added to database: 4/28/2026, 3:22:06 PM
Last enriched: 4/28/2026, 3:36:53 PM
Last updated: 4/28/2026, 5:47:23 PM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.