CVE-2026-40968: Spring gRPC SecurityContext leaks across requests upon authorization failure

April 28, 2026 (updated May 6, 2026)

When an authenticated user is denied access to a gRPC method, their authenticated identity remains bound to the gRPC worker thread and can be inherited by a subsequent unauthenticated request on the same thread. This may allow the subsequent user to gain escalated permissions.

Affected versions: Spring gRPC: 1.0.0 - 1.0.2 (fixed in 1.0.3). Older, unsupported versions are also affected.

References

github.com/advisories/GHSA-4g9c-3x4p-mfpp
github.com/spring-projects/spring-grpc
nvd.nist.gov/vuln/detail/CVE-2026-40968
spring.io/security/cve-2026-40968

Code Behaviors & Features

Detect and mitigate CVE-2026-40968 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →