Get ahead
VMware offers training and certification to turbo-charge your progress.
Learn moreCVE-2026-40983: Micrometer gRPC server instrumentation DoS vulnerability
Description
In Micrometer, it is possible for a user to provide specially crafted gRPC requests that may cause a denial-of-service (DoS) condition.
Specifically, an application is vulnerable when all of the following are true:
- the application uses a vulnerable version of
io.micrometer:micrometer-core - an
ObservationRegistryis configured in the application and it records observations DefaultMeterObservationHandleris configured to output metrics from Observations or the user has a customObservationHandlerthat outputs metrics similarly toDefaultMeterObservationHandler- the application uses
ObservationGrpcServerInterceptorto instrument its gRPC server
Affected Products and Versions
Micrometer:
- 1.16.0 - 1.16.5
- 1.15.0 - 1.15.11
Older versions than 1.15.0 are not affected.
Mitigation
Users of affected versions should upgrade to the corresponding fixed version.
| Affected version(s) | Fix version | Availability |
|---|---|---|
| 1.16.x | 1.16.6 | OSS |
| 1.15.x | 1.15.12 | OSS |
No further mitigation steps are necessary.
Credit
The issue was identified and responsibly reported by Yu Bao (@August829) - [email protected] – who works for paypal.com.
References
History
- 2026-06-08: Initial vulnerability report published.
Reporting a vulnerability
To report a security vulnerability for a project within the Spring portfolio, see the Security Policy
Get support
Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.
Learn moreUpcoming events
Check out all the upcoming events in the Spring community.
View all