HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-40984Published Modified CNA vmware

CVE-2026-40984: Micrometer HTTP server instrumentations DoS vulnerability

In Micrometer, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Affected versions: micrometer-core 1.16.0 through 1.16.5; 1.15.0 through 1.15.11; 1.14.0 through 1.14.15; 1.13.0 through 1.13.18; 1.9.0 through 1.9.17. micrometer-jetty11 1.16.0 through 1.16.5; 1.15.0 through 1.15.11; 1.14.0 through 1.14.15; 1.13.0 through 1.13.18. micrometer-jetty12 1.16.0 through 1.16.5; 1.15.0 through 1.15.11; 1.14.0 through 1.14.15; 1.13.0 through 1.13.18.

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
1.9.18
Affected Products
3

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A denial-of-service vulnerability affects Micrometer HTTP server instrumentations, including micrometer-core, micrometer-jetty11, and micrometer-jetty12. The flaw is reachable over the network with no authentication required, allowing any remote client to send specially crafted HTTP requests that trigger the vulnerability. Successful exploitation crashes or disables the instrumented service entirely. Patched-image rebuilds at versions 1.9.18, 1.13.19, 1.14.16, 1.15.12, and 1.16.6 are available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-40984 is available across every HarborGuard environment, with the CVE ingested from upstream feeds and matched against images in customer registries and CI/CD pipelines within minutes of publication. Coverage extends to custom-built images that bundle any of the affected Micrometer modules, not just official upstream base images.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 7.5 HIGH and weighting it against each environment's compliance policy to determine urgency. Triage findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

A patched-image rebuild targeting the applicable fix version (1.9.18, 1.13.19, 1.14.16, 1.15.12, or 1.16.6, depending on the affected branch in use) becomes available on HarborGuard once the upstream fix is confirmed present in the image layer. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable service must be reachable over the network; an attacker sends crafted HTTP requests directly to the exposed endpoint.

  • AuthenticationNot required

    No credentials or session token are needed; any unauthenticated client can send the malicious request.

  • Victim interactionNot required

    No user action is needed on the target side; the attacker triggers the condition entirely through their own requests.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; no race conditions, memory layout knowledge, or environmental prerequisites are required.

Blast Radius

  • Crashes or stalls the instrumented HTTP service, making it unavailable to legitimate clients.
  • Availability of any application relying on the affected Micrometer instrumentation layer is disrupted for the duration of the attack.
  • No confidentiality or integrity impact is indicated; stored data and application state are not directly readable or modifiable through this vulnerability.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of ingestion for any image containing an affected Micrometer version across all registered registries and pipeline stages, including custom-built images. Where compliance policy permits, auto-remediation customers receive a rebuilt image pinned to the appropriate patched branch (1.9.18, 1.13.19, 1.14.16, 1.15.12, or 1.16.6), followed by a regression test run and a PR opened against affected workloads. The median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments where auto-remediation is not enabled, HarborGuard surfaces the finding with fix-version guidance so engineering teams can act manually. Because this is a network-exposed, unauthenticated DoS with no prerequisites, teams should treat remediation as urgent and consider network-policy controls that restrict which clients can reach the instrumented HTTP endpoints as a compensating control until the patched image is deployed.

See how HarborGuard automates this

Fix available

1.9.181.13.191.14.161.15.121.16.6
Affected packages
  • Spring / Micrometer
    < 1.16.6 (from 1.16.0) · < 1.15.12 (from 1.15.0) · < 1.14.16 (from 1.14.0) · < 1.13.19 (from 1.13.0) · < 1.9.18 (from 1.9.0)
  • Spring / Micrometer
    < 1.16.6 (from 1.16.0) · < 1.15.12 (from 1.15.0) · < 1.14.16 (from 1.14.0) · < 1.13.19 (from 1.13.0)
  • Spring / Micrometer
    < 1.16.6 (from 1.16.0) · < 1.15.12 (from 1.15.0) · < 1.14.16 (from 1.14.0) · < 1.13.19 (from 1.13.0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References