Spring gRPC SecurityContext leaks across requests on authorization failure

MEDIUM | APRIL 28, 2026 | CVE-2026-40968

Description

When an authenticated user is denied access to a gRPC method, their authenticated identity remains bound to the gRPC worker thread and can be inherited by a subsequent unauthenticated request on the same thread. This may allow the subsequent user to gain escalated permissions.

Affected Spring Products and Versions

Spring gRPC:

  • 1.0.2 and earlier

Mitigation

Users of affected versions should upgrade to the corresponding fixed version.
Fix versionAvailability
1.0.3OSS

No further mitigation steps are necessary.

History

  • 2026-04-28: Initial vulnerability report published.

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all