CVE-2026-40983: Micrometer gRPC server instrumentation DoS vulnerability
In Micrometer, it is possible for a user to provide specially crafted gRPC requests that may cause a denial-of-service (DoS) condition. Affected versions: Micrometer 1.16.0 through 1.16.5; 1.15.0 through 1.15.11.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- 1.15.12
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is a denial-of-service vulnerability in Micrometer's gRPC server instrumentation. The flaw is reachable over the network without any authentication, allowing any client that can send gRPC requests to the affected service to trigger it. Successful exploitation crashes or severely degrades the availability of the instrumented service. A patched-image rebuild at Micrometer 1.15.12 or 1.16.6 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI pipelines, including custom-built images that bundle Micrometer as a dependency.
AvailableHarborGuard scores this finding at CVSS 7.5 HIGH (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and applies per-environment compliance policy weighting before routing the alert to the appropriate team inbox within each customer organization.
AvailableA patched-image rebuild targeting Micrometer 1.15.12 or 1.16.6 becomes available on HarborGuard for any image found to contain an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must be able to reach the gRPC server endpoint over the network; no local or physical access is needed.
- AuthenticationNot required
No credentials or session are required; any unauthenticated client that can send a gRPC request can trigger the vulnerability.
- Victim interactionNot required
No user interaction is needed; the attacker sends a crafted request directly to the server without involving any other party.
- Attack complexityDetail
Exploitation is reliable and condition-free; no race conditions, specific memory layout, or environmental prerequisites are required.
Blast Radius
- Crashes or severely degrades the instrumented gRPC service, making it unavailable to legitimate clients.
- Sustained or repeated crafted requests can hold the service down, causing a prolonged outage for any workload depending on that endpoint.
How HarborGuard Handles This
Available on HarborGuard: images containing Micrometer versions 1.16.0-1.16.5 or 1.15.0-1.15.11 are flagged automatically, and rebuilt images pinned to the fixed versions (1.15.12 or 1.16.6) are made available as soon as the advisory is matched. Where compliance policy permits auto-remediation, HarborGuard triggers the rebuild, executes a regression run, and opens a pull request against affected workloads; for high-severity issues the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Customers who manage remediation manually can retrieve the pre-built fixed image from HarborGuard and apply it on their own schedule. In the interim, restricting gRPC endpoint exposure via network policy to trusted clients only reduces the exploitable surface until the patched image is deployed.
Fix available
- Spring / Micrometer< 1.16.6 (from 1.16.0) · < 1.15.12 (from 1.15.0)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H