cvedb.io
CVE-2026-40969
LOW · CVSS 3.7
EPSS exploitation probability: 0%
Published 2026-04-28T15:16:30.560 · Last modified 2026-06-17T10:45:57.387

Summary

The raw message of every server-side AuthenticationException is returned to the unauthenticated remote caller in the gRPC status description. This allows an attacker to obtain information about the authentication failure, which may be useful for further attacks. Affected versions: Spring gRPC: 1.0.0 - 1.0.2 (fixed in 1.0.3). Older, unsupported versions are also affected.

Affected products

vmware — spring_grpc

Does this affect you?

Add your gear to cvedb and we'll alert you only when vmware ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.