PT-2026-35730 · Vmware · Spring Grpc

Published

2026-04-28

Updated

2026-04-28

CVE-2026-40968

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Spring gRPC versions prior to 1.0.3

Description When an authenticated user is denied access to a gRPC method, their authenticated identity remains bound to the gRPC worker thread. This identity can be inherited by a subsequent unauthenticated request processed on the same thread, potentially allowing the subsequent user to gain escalated permissions.

Recommendations Update to version 1.0.3.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-653

Related Identifiers

CVE-2026-40968

GHSA-4G9C-3X4P-MFPP

Affected Products

Spring Grpc

PT-2026-35730 · Vmware · Spring Grpc

CVE-2026-40968

Weakness Enumeration

Related Identifiers

Affected Products

References · 5