{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40983", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2026-04-16T02:19:04.616Z", "datePublished": "2026-06-09T03:46:54.131Z", "dateUpdated": "2026-06-23T19:56:44.379Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-06-23T19:56:44.379Z"}, "title": "Micrometer gRPC server instrumentation DoS vulnerability", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}], "impacts": [{"descriptions": [{"lang": "en", "value": "An unauthenticated remote attacker can cause denial of service by sending specially crafted gRPC requests that trigger excessive resource consumption in applications using Micrometer's ObservationGrpcServerInterceptor."}]}], "affected": [{"vendor": "Spring", "product": "Micrometer", "versions": [{"status": "affected", "version": "1.16.0", "lessThan": "1.16.5.1", "versionType": "custom"}, {"status": "affected", "version": "1.15.0", "lessThan": "1.15.11.1", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "In Micrometer, it is possible for a user to provide specially crafted gRPC requests that may cause a denial-of-service (DoS) condition.\n\nAffected versions:\nMicrometer 1.16.0 through 1.16.5; 1.15.0 through 1.15.11.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "In Micrometer, it is possible for a user to provide specially crafted gRPC requests that may cause a denial-of-service (DoS) condition.\n\nAffected versions:\nMicrometer 1.16.0 through 1.16.5; 1.15.0 through 1.15.11."}]}], "references": [{"url": "https://spring.io/security/cve-2026-40983"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-09T13:53:39.829639Z", "id": "CVE-2026-40983", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-09T13:54:04.441Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40983", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-09T13:53:39.829639Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-09T13:53:52.376Z"}}], "cna": {"title": "Micrometer gRPC server instrumentation DoS vulnerability", "source": {"discovery": "UNKNOWN"}, "impacts": [{"descriptions": [{"lang": "en", "value": "An unauthenticated remote attacker can cause denial of service by sending specially crafted gRPC requests that trigger excessive resource consumption in applications using Micrometer's ObservationGrpcServerInterceptor."}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Spring", "product": "Micrometer", "versions": [{"status": "affected", "version": "1.16.0", "lessThan": "1.16.5.1", "versionType": "custom"}, {"status": "affected", "version": "1.15.0", "lessThan": "1.15.11.1", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://spring.io/security/cve-2026-40983"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "In Micrometer, it is possible for a user to provide specially crafted gRPC requests that may cause a denial-of-service (DoS) condition.\n\nAffected versions:\nMicrometer 1.16.0 through 1.16.5; 1.15.0 through 1.15.11.", "supportingMedia": [{"type": "text/html", "value": "In Micrometer, it is possible for a user to provide specially crafted gRPC requests that may cause a denial-of-service (DoS) condition.\n\nAffected versions:\nMicrometer 1.16.0 through 1.16.5; 1.15.0 through 1.15.11.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-06-23T19:56:44.379Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40983", "state": "PUBLISHED", "dateUpdated": "2026-06-23T19:56:44.379Z", "dateReserved": "2026-04-16T02:19:04.616Z", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "datePublished": "2026-06-09T03:46:54.131Z", "assignerShortName": "vmware"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In Micrometer, it is possible for a user to provide specially crafted gRPC requests that may cause a denial-of-service (DoS) condition.\n\nAffected versions:\nMicrometer 1.16.0 through 1.16.5; 1.15.0 through 1.15.11."}], "id": "CVE-2026-40983", "lastModified": "2026-06-09T13:49:39.993", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@vmware.com", "type": "Secondary"}]}, "published": "2026-06-09T05:16:34.653", "references": [{"source": "security@vmware.com", "url": "https://spring.io/security/cve-2026-40983"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security@vmware.com", "type": "Secondary"}]}

{"bugzilla": {"description": "micrometer: micrometer-core: Micrometer: Denial of Service via specially crafted gRPC requests", "id": "2486697", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2486697"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-770", "details": ["In Micrometer, it is possible for a user to provide specially crafted gRPC requests that may cause a denial-of-service (DoS) condition.\nAffected versions:\nMicrometer 1.16.0 through 1.16.5; 1.15.0 through 1.15.11.", "A flaw was found in Micrometer. A remote attacker can provide specially crafted gRPC (gRPC Remote Procedure Call) requests, which may lead to a denial-of-service (DoS) condition. This vulnerability allows an attacker to disrupt the availability of the affected system."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, restrict network access to services exposing Micrometer's gRPC endpoints to trusted clients only. Implement firewall rules to limit inbound connections to the specific ports used by gRPC. If gRPC functionality is not essential for the deployment, consider disabling it entirely to eliminate the attack vector. Any changes to network configurations or service settings may require a service restart to take effect, potentially impacting availability during the transition."}, "name": "CVE-2026-40983", "package_state": [{"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Affected", "package_name": "micrometer-core", "product_name": "Red Hat AMQ Broker 7"}, {"cpe": "cpe:/a:redhat:amq_clients:2023", "fix_state": "Affected", "package_name": "micrometer-core", "product_name": "Red Hat AMQ Clients"}, {"cpe": "cpe:/a:redhat:camel_quarkus:3", "fix_state": "Affected", "package_name": "micrometer-core", "product_name": "Red Hat build of Apache Camel 4 for Quarkus 3"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Not affected", "package_name": "micrometer-core", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:apache_camel_hawtio:4", "fix_state": "Affected", "package_name": "micrometer-core", "product_name": "Red Hat build of Apache Camel - HawtIO 4"}, {"cpe": "cpe:/a:redhat:apicurio_registry:3", "fix_state": "Fix deferred", "package_name": "micrometer-core", "product_name": "Red Hat build of Apicurio Registry 3"}, {"cpe": "cpe:/a:redhat:debezium:3", "fix_state": "Not affected", "package_name": "micrometer-core", "product_name": "Red Hat build of Debezium 3"}, {"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Affected", "package_name": "micrometer-core", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Affected", "package_name": "rhbk/keycloak-rhel9", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Affected", "package_name": "rhbk/keycloak-rhel9-operator", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Affected", "package_name": "rhbk-openshift-rhel9/rhbk-openshift-rhel9", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Affected", "package_name": "rhbk-rhel9-operator/rhbk-rhel9-operator", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:quarkus:3", "fix_state": "Affected", "package_name": "micrometer-core", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Affected", "package_name": "micrometer-core", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Fix deferred", "package_name": "micrometer-core", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Affected", "package_name": "micrometer-core", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Under investigation", "package_name": "rhoai/odh-trustyai-service-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Under investigation", "package_name": "devspaces/openvsx-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Under investigation", "package_name": "devspaces/pluginregistry-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Under investigation", "package_name": "devspaces/server-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Under investigation", "package_name": "candlepin", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Under investigation", "package_name": "satellite:el8/candlepin", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:amq_streams:2", "fix_state": "Not affected", "package_name": "micrometer-core", "product_name": "streams for Apache Kafka 2"}, {"cpe": "cpe:/a:redhat:amq_streams:3", "fix_state": "Affected", "package_name": "micrometer-core", "product_name": "streams for Apache Kafka 3"}], "public_date": "2026-06-09T03:46:54Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-40983\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-40983\nhttps://spring.io/security/cve-2026-40983"], "statement": "This is an Important denial-of-service vulnerability in Micrometer, as a remote unauthenticated attacker can disrupt the availability of affected systems by sending specially crafted gRPC requests. The broad accessibility of gRPC endpoints in typical deployments contributes to the elevated risk, allowing for significant service interruption.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.16.0,1.16.6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.15.0,1.15.12)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Micrometer", "source": "cna", "vendor": "Spring"}, "product": "micrometer", "vendor": "spring"}], "created": "2026-06-09T05:30:36.260733+00:00", "updated": "2026-06-26T01:30:17.135299+00:00", "vendors": ["spring", "spring$PRODUCT$micrometer"]}