VIR Vulnerability Intelligence Relay

CVE-2026-40968

high
Published 2026-04-28 · Modified 2026-05-06
CVSS v3
8.8
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
CVSS v2
VIR risk
8.8

Description

Spring gRPC SecurityContext leaks across requests upon authorization failure

Predictions

Exploit likelihood
92%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: security@vmware.com — https://spring.io/security/cve-2026-40968

Package impact
EcosystemPackageVulnerableFixed
java Mavenorg.springframework.grpc:spring-grpc<1.0.31.0.3
java MAVENorg.springframework.grpc:spring-grpc< 1.0.31.0.3

Application impact
VendorProductVersionsFixed
vmware vmwarespring_grpc{"endExcluding":"1.0.3"}1.0.3

References

CWEs

CWE-653

Verify integrity in audit chain (admin only). AS-IS.