Back

Denial-of-Service Vulnerabilities in Micrometer Identified

Severity: Medium (Score: 45.6)

Sources: spring.io

Published: 2026-06-08 · Updated: 2026-06-08

Keywords: micrometer, grpc, server, vulnerability, http, possible, user

Severity indicators: vulnerability, CVE:CVE-2026-40983, CVE:CVE-2026-40983

Summary

Two denial-of-service (DoS) vulnerabilities have been identified in Micrometer, affecting HTTP and gRPC server instrumentations. CVE-2026-40984 allows specially crafted HTTP requests to cause DoS conditions, impacting unsupported versions. CVE-2026-40983 similarly affects gRPC requests but is limited to versions prior to 1.15.0. Users of the affected versions are advised to upgrade to the fixed versions. Both issues were reported by Yu Bao from PayPal. No further mitigation steps are necessary beyond upgrading. The vulnerabilities do not appear to be actively exploited at this time. Key Points: • CVE-2026-40984 and CVE-2026-40983 are DoS vulnerabilities in Micrometer. • Affected users should upgrade to fixed versions; no additional mitigation is needed. • Both vulnerabilities were reported by Yu Bao from PayPal.

Detailed Analysis

**Impact** Applications using vulnerable versions of Micrometer HTTP server and gRPC server instrumentations are at risk of denial-of-service (DoS) conditions. The vulnerability affects unsupported versions for HTTP instrumentation and versions prior to 1.15.0 for gRPC instrumentation. This impacts organizations relying on Micrometer for application monitoring, potentially disrupting service availability and operational continuity. No data breach or information exposure is reported. **Technical Details** The attack vector involves specially crafted HTTP or gRPC requests that trigger DoS conditions in Micrometer instrumentations. The exploited CVEs are CVE-2026-40984 (HTTP server instrumentation) and CVE-2026-40983 (gRPC server instrumentation). The vulnerabilities were responsibly disclosed by Yu Bao from PayPal. No malware, tools, or specific infrastructure details are provided. The attack targets the delivery and exploitation stages of the kill chain. **Recommended Response** Users should immediately upgrade to the fixed versions of Micrometer as specified for each instrumentation type. No additional mitigation steps are required beyond patching. Defenders should monitor for unusual HTTP or gRPC request patterns indicative of DoS attempts. No indicators of compromise (IOCs) are provided for blocking or detection.

Source articles (2)

  • CVE-2026-40984: Micrometer HTTP server instrumentations DoS vulnerability — spring.io · 2026-06-08
    In Micrometer, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the follo…
  • CVE-2026-40983: Micrometer gRPC server instrumentation DoS vulnerability — spring.io · 2026-06-08
    In Micrometer, it is possible for a user to provide specially crafted gRPC requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the follo…

Timeline

  • 2026-06-08 — CVE-2026-40984 disclosed: Micrometer's HTTP server instrumentation vulnerability allows DoS via crafted requests, affecting unsupported versions.
  • 2026-06-08 — CVE-2026-40983 disclosed: Micrometer's gRPC server instrumentation vulnerability allows DoS via crafted requests, affecting versions prior to 1.15.0.

CVEs

  • CVE-2026-40983
  • CVE-2026-40984

Related entities

  • DDoS (Attack Type)
  • Denial-of-Service (Attack Type)
  • paypal.com (Domain)
  • T1499 - Endpoint Denial of Service (Mitre Attack)
  • Apache Tomcat (Platform)
  • GRPC (Platform)
  • Micrometer (Platform)
  • OpenJDK (Platform)
  • Spring (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed