CVE-2026-40968

CVE-2026-40968 affects Spring gRPC 1.0.0–1.0.2 (fixed in 1.0.3; older/unsupported versions also affected). The issue: when an authenticated user is denied access to a gRPC method, the user’s authenticated identity remains bound to a gRPC worker thread and can be inherited by a subsequent unauthen...

CVE-2026-40969

CVE-2026-40969 affects Spring gRPC 1.0.0–1.0.2, where the server-side AuthenticationException message is echoed in the gRPC status description returned to unauthenticated remote callers. This information disclosure could aid in understanding authentication failures and may assist subsequent attac...