CVE-2026-40984

Name of the Vulnerable Software and Affected Versions micrometer-core versions 1.16.0 through 1.16.5 micrometer-core versions 1.15.0 through 1.15.11 micrometer-core versions 1.14.0 through 1.14.15 micrometer-core versions 1.13.0 through 1.13.18 micrometer-core versions 1.9.0 through 1.9.17 micrometer-jetty11 versions 1.16.0 through 1.16.5 micrometer-jetty11 versions 1.15.0 through 1.15.11 micrometer-jetty11 versions 1.14.0 through 1.14.15 micrometer-jetty11 versions 1.13.0 through 1.13.18 micrometer-jetty12 versions 1.16.0 through 1.16.5 micrometer-jetty12 versions 1.15.0 through 1.15.11 micrometer-jetty12 versions 1.14.0 through 1.14.15 micrometer-jetty12 versions 1.13.0 through 1.13.18

Description Micrometer HTTP server instrumentations contain an uncontrolled resource consumption flaw. An unauthenticated attacker can remotely send specially crafted HTTP requests that, when processed by the instrumentation, can lead to a denial-of-service (DoS) condition. This issue affects availability without impacting data exposure or integrity.

Recommendations Update micrometer-core versions 1.16.0 through 1.16.5 to 1.16.6 Update micrometer-core versions 1.15.0 through 1.15.11 to 1.15.12 Update micrometer-core versions 1.14.0 through 1.14.15 to 1.14.16 Update micrometer-core versions 1.13.0 through 1.13.18 to 1.13.19 Update micrometer-core versions 1.9.0 through 1.9.17 to 1.9.18 Update micrometer-jetty11 versions 1.16.0 through 1.16.5 to 1.16.6 Update micrometer-jetty11 versions 1.15.0 through 1.15.11 to 1.15.12 Update micrometer-jetty11 versions 1.14.0 through 1.14.15 to 1.14.16 Update micrometer-jetty11 versions 1.13.0 through 1.13.18 to 1.13.19 Update micrometer-jetty12 versions 1.16.0 through 1.16.5 to 1.16.6 Update micrometer-jetty12 versions 1.15.0 through 1.15.11 to 1.15.12 Update micrometer-jetty12 versions 1.14.0 through 1.14.15 to 1.14.16 Update micrometer-jetty12 versions 1.13.0 through 1.13.18 to 1.13.19