CVE-2026-40983: Micrometer gRPC Denial-of-Service Vulnerability
Micrometer, a popular metrics and monitoring library, contains a vulnerability that allows unauthenticated attackers to send specially crafted gRPC requests that overwhelm and crash affected services. An attacker needs only network access to the affected system—no credentials or user interaction required. This is a denial-of-service (DoS) issue affecting specific versions of the library that organizations commonly embed in their Java microservices and cloud-native applications.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-400, CWE-770
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-07-15
NVD description (verbatim)
In Micrometer, it is possible for a user to provide specially crafted gRPC requests that may cause a denial-of-service (DoS) condition. Affected versions: Micrometer 1.16.0 through 1.16.5; 1.15.0 through 1.15.11.
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in Micrometer versions 1.16.0–1.16.5 and 1.15.0–1.15.11 and stems from improper handling of gRPC protocol input (CWE-400: Uncontrolled Resource Consumption; CWE-770: Allocation of Resources Without Limits or Throttling). By crafting malicious gRPC requests, an attacker can trigger resource exhaustion or infinite loops that crash the instrumented service. The attack requires no authentication or user interaction and can be executed over the network, making it trivially exploitable by any attacker with network visibility to an affected endpoint.
Business impact
Organizations using vulnerable versions face service disruption and potential cascading failures in microservices architectures that depend on Micrometer for observability. If your platform ingests metrics from multiple instrumented services, a DoS attack on one service's metrics pipeline could degrade visibility into your entire infrastructure during an incident—precisely when you need observability most. In production environments running containerized workloads, this could trigger rapid pod cycling and orchestration churn, compounding availability damage.
Affected systems
Micrometer 1.16.0 through 1.16.5 and 1.15.0 through 1.15.11 are vulnerable. This includes any application that embeds these library versions, particularly microservices using Spring Boot, Quarkus, Helidon, or other frameworks that depend on Micrometer for metrics collection and export. Confirm your dependency tree; Micrometer is often a transitive dependency pulled in by observability stacks. Versions prior to 1.15.0 and 1.16.0, as well as versions 1.16.6+ and 1.15.12+ (when released), are not affected.
Exploitability
Exploitability is straightforward: the attack vector is network-accessible (AV:N), requires no special conditions (AC:L), no privileges (PR:N), and no user interaction (UI:N). Any network endpoint exposing gRPC services instrumented with vulnerable Micrometer versions can be targeted by an attacker with basic knowledge of gRPC protocol construction. Public exploit code has not been reported as of the advisory date, but the attack surface is well-defined and does not require sophisticated techniques.
Remediation
Upgrade Micrometer to version 1.15.12 or later (for the 1.15.x line) or 1.16.6 or later (for the 1.16.x line). Patch your applications and redeploy; Micrometer is typically updated via Maven, Gradle, or other dependency managers. If immediate patching is not feasible, isolate gRPC endpoints from untrusted networks using firewall rules or service-mesh policies, though this is a temporary measure and patches should be prioritized. Verify compatibility with your frameworks before deploying—consult the Micrometer release notes for any breaking changes.
Patch guidance
1. Audit your dependency manifests (pom.xml, build.gradle, requirements files) to identify all services using Micrometer 1.15.0–1.15.11 or 1.16.0–1.16.5. 2. Update to the fixed versions (1.15.12+ or 1.16.6+) in your dependency manager. 3. Run your build pipeline and integration tests to confirm compatibility. 4. Deploy updates to development and staging environments first, then production on your standard release schedule. 5. If you have a large fleet, consider staged rollout or canary deployments. 6. Verify the update took effect by checking runtime dependency versions via actuator endpoints or logs.
Detection guidance
Monitor for unusual gRPC traffic patterns targeting your application: look for a spike in malformed or oversized gRPC frames, rapid connection attempts, or exhaustion of file descriptors and memory tied to gRPC listener threads. Inspect application logs for resource-exhaustion warnings, out-of-memory errors, or exceptions in Micrometer gRPC handlers occurring synchronously with traffic spikes. If you deploy with Kubernetes, watch for pod restarts or CrashLoopBackOff events correlated with traffic anomalies. Network-level indicators include sustained high packet rates on gRPC ports (typically 50051, 50052, or application-defined) from single or distributed sources.
Why prioritize this
This vulnerability merits prompt attention because it combines high severity (CVSS 7.5), trivial exploitability, and widespread usage of Micrometer across cloud-native and microservices ecosystems. Unlike vulnerabilities requiring authentication or user interaction, this can be exploited by any attacker with network access. The impact—service unavailability and loss of observability—is direct and damaging in always-on environments. However, it is not yet on the CISA KEV list, suggesting active exploitation in the wild has not been confirmed at scale; still, the attack pattern is straightforward enough that prudent teams should treat this as medium-to-high priority for the next maintenance cycle.
Risk score, explained
CVSS 7.5 (HIGH) reflects the combination of network-level attack feasibility, lack of authentication barriers, and high impact to availability. The scoring reflects that an unauthenticated attacker can cause service denial with minimal effort. The severity does not reach CRITICAL because the scope is limited to the availability of the affected service (not system-wide confidentiality or integrity) and patching is straightforward. Organizations with defense-in-depth practices (network segmentation, rate limiting, DDoS mitigation) can partially offset risk until patches are deployed.
Frequently asked questions
Do I need to patch immediately, or can this wait until our next maintenance window?
If your infrastructure is exposed to untrusted networks (e.g., the internet), prioritize patching in the next 1–2 weeks. If gRPC endpoints are confined to internal networks with strong access controls, you have more flexibility. However, do not defer indefinitely; this is a network-exploitable DoS that does not require authentication.
We use Micrometer but only for metrics export, not gRPC. Are we affected?
You are only vulnerable if your Micrometer version is in the affected range (1.15.0–1.15.11 or 1.16.0–1.16.5) AND you expose gRPC services (either directly or through a framework like Quarkus or Helidon that instruments gRPC handlers). If you use Micrometer only with HTTP or other non-gRPC transports, you are not affected. Verify your application's gRPC exposure.
Can I mitigate this without patching by disabling gRPC or metrics collection?
Disabling metrics collection entirely defeats the purpose of using Micrometer and is not recommended. If you must delay patching, restrict network access to gRPC endpoints via firewall, Kubernetes network policies, or service-mesh ingress rules so that only trusted internal clients can reach them. This is a temporary measure; upgrade as soon as your maintenance cycle permits.
What versions are considered safe?
Micrometer versions 1.15.12 and later (in the 1.15.x branch) and 1.16.6 and later (in the 1.16.x branch) include the fix. All versions below 1.15.0 and 1.16.0 are also unaffected because they predate the vulnerable code. Consult the official Micrometer release notes to confirm exact version numbers when planning your upgrade.
This analysis is based on the published CVE description and CVSS vector as of the modification date (2026-07-15). Specific patch version numbers, vendor advisories, and compatibility details should be verified against the official Micrometer GitHub repository and release notes before deployment. SEC.co provides this intelligence for informational purposes; organizations must conduct their own risk assessment and testing before applying patches to production systems. No exploit code is provided or endorsed; proof-of-concept testing should only occur in controlled, non-production environments with proper authorization. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-40984HIGHMicrometer Denial-of-Service Vulnerability – HTTP Request Handling Flaw
- CVE-2026-49361HIGHApache Fluss Remote Denial of Service via Oversized Frame
- CVE-2026-48187MEDIUMOTRS Email Handler Denial of Service – Uncontrolled Resource Allocation
- CVE-2026-49324MEDIUM2025 Indian Motorcycle Scout Bobber + Tech Immobilizer Lockout Vulnerability
- CVE-2024-14036HIGHDräger Core Denial of Service via Malformed SDC Messages
- CVE-2025-46638HIGHDell BSAFE SSL-J Resource Exhaustion DoS Vulnerability
- CVE-2026-10069HIGHShibby Tomato miniupnpd Resource Exhaustion Vulnerability
- CVE-2026-28299HIGHSolarWinds Web Help Desk Denial-of-Service Vulnerability – CVSS 8.2