Spring gRPC AuthenticationException messages are reflected to remote client

GHSA-37w2-q6vh-45v6 · CVE-2026-40969

Published Apr 28, 2026 · Modified May 6, 2026

Description

The raw message of every server-side AuthenticationException is returned to the unauthenticated remote caller in the gRPC status description. This allows an attacker to obtain information about the authentication failure, which may be useful for further attacks.

Affected versions:
Spring gRPC: 1.0.0 - 1.0.2 (fixed in 1.0.3). Older, unsupported versions are also affected.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-40969
PACKAGE https://github.com/spring-projects/spring-grpc
WEB https://spring.io/security/cve-2026-40969

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes