Spring gRPC SecurityContext leaks across requests upon authorization failure

GHSA-4g9c-3x4p-mfpp · CVE-2026-40968

Published Apr 28, 2026 · Modified May 6, 2026

Description

When an authenticated user is denied access to a gRPC method, their authenticated identity remains bound to the gRPC worker thread and can be inherited by a subsequent unauthenticated request on the same thread. This may allow the subsequent user to gain escalated permissions.

Affected versions:
Spring gRPC: 1.0.0 - 1.0.2 (fixed in 1.0.3). Older, unsupported versions are also affected.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-40968
PACKAGE https://github.com/spring-projects/spring-grpc
WEB https://spring.io/security/cve-2026-40968

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes