CVE-2026-40969 — LOW (3.7) — White Hats Nepal

Q: How severe is CVE-2026-40969?

CVE-2026-40969 has been rated LOW with a CVSS base score of 3.7/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2026-40969?

Check the references section above for vendor advisories and patch information. Affected products include: Vmware Spring Grpc.

Vulnerability Description

The raw message of every server-side AuthenticationException is returned to the unauthenticated remote caller in the gRPC status description. This allows an attacker to obtain information about the authentication failure, which may be useful for further attacks. Affected versions: Spring gRPC: 1.0.0 - 1.0.2 (fixed in 1.0.3). Older, unsupported versions are also affected.

CVSS Score

3.7

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Vmware	Spring Grpc	< 1.0.3

Related Weaknesses (CWE)

CWE-209

References

https://spring.io/security/cve-2026-40969Vendor Advisory

FAQ

What is CVE-2026-40969?

CVE-2026-40969 is a vulnerability with a CVSS score of 3.7 (LOW). The raw message of every server-side AuthenticationException is returned to the unauthenticated remote caller in the gRPC status description. This allows an attacker to obtain information about the au...

How severe is CVE-2026-40969?

CVE-2026-40969 has been rated LOW with a CVSS base score of 3.7/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-40969?

Check the references section above for vendor advisories and patch information. Affected products include: Vmware Spring Grpc.