CVE-2026-40969: Spring gRPC AuthenticationException messages are reflected to remote client

April 28, 2026 (updated May 6, 2026)

The raw message of every server-side AuthenticationException is returned to the unauthenticated remote caller in the gRPC status description. This allows an attacker to obtain information about the authentication failure, which may be useful for further attacks.

Affected versions: Spring gRPC: 1.0.0 - 1.0.2 (fixed in 1.0.3). Older, unsupported versions are also affected.

References

github.com/advisories/GHSA-37w2-q6vh-45v6
github.com/spring-projects/spring-grpc
nvd.nist.gov/vuln/detail/CVE-2026-40969
spring.io/security/cve-2026-40969

Code Behaviors & Features

Detect and mitigate CVE-2026-40969 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →