Zero Day MonitorZDM

← Back to list

4.3

CVE-2026-40968EXPLOITEDPATCHED

spring · spring grpc

Spring gRPC SecurityContext leaks across requests on authorization failure

Description

When an authenticated user is denied access to a gRPC method, their authenticated identity remains bound to the gRPC worker thread and can be inherited by a subsequent unauthenticated request on the same thread. This may allow the subsequent user to gain escalated permissions. Affected versions: Spring gRPC: 1.0.0 - 1.0.2 (fixed in 1.0.3). Older, unsupported versions are also affected.

Affected Products

Vendor	Product	Versions
spring	spring grpc	1.0.0, 1.0.2

References

https://spring.io/security/cve-2026-40968

Related News (1 articles)

Tier C

VulDB17h ago

CVE-2026-40968 | Vmware Spring gRPC up to 1.0.2 SecurityContext improper isolation or compartmentalization

→ No new info (linked only)

CVSS 3.14.3 HIGH

VectorCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

1.0.3

CWECWE-653

PublishedApr 28, 2026

Last enriched16h agov2

Trending Score43

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-40967EXP

CVE-2026-40967: In Spring AI, various FilterExpressionConverter implementations accept a filter expression object and translate them to

HIGHCVE-2026-40978EXP

CVE-2026-40978: SQL injection vulnerability in Spring AI's `CosmosDBVectorStore` allows attackers to execute arbitrary SQL queries via c

CRITICALCVE-2026-40976EXP

CVE-2026-40976: In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoint

MEDIUMCVE-2026-40966EXP

VectorStoreChatMemoryAdvisor conversation scoping can lead to cross-tenant memory exfiltration

CRITICALCVE-2026-40974EXP

CVE-2026-40974: Spring Boot's Cassandra auto-configuration does not perform hostname verification when establishing an SSL connection to

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 28, 2026

Discovered by ZDM

Apr 28, 2026

Actively Exploited

Apr 28, 2026

Patch Available

Apr 28, 2026

Updated: affectedVersions, severity, activelyExploited

Apr 28, 2026

Version History

v2

Last enriched 16h ago

v2Tier C16h ago

Updated vendor to Vmware, product to spring grpc, severity to HIGH, and marked the vulnerability as actively exploited.

affectedVersionsseverityactivelyExploited

via VulDB

v119h ago

Initial creation