HIGH 7.5

CVE-2026-40984: Micrometer Denial-of-Service Vulnerability – HTTP Request Handling Flaw

Micrometer, a popular metrics collection library, contains a vulnerability that allows attackers to trigger denial-of-service conditions by sending specially crafted HTTP requests. An unauthenticated attacker on the network can exploit this weakness to make applications unresponsive or crash. The vulnerability affects multiple versions across the micrometer-core and jetty-specific modules. No authentication or user interaction is required to launch an attack.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-400, CWE-770
Affected products
0 configuration(s)
Published / Modified
2026-06-09 / 2026-07-15

NVD description (verbatim)

In Micrometer, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Affected versions: micrometer-core 1.16.0 through 1.16.5; 1.15.0 through 1.15.11; 1.14.0 through 1.14.15; 1.13.0 through 1.13.18; 1.9.0 through 1.9.17. micrometer-jetty11 1.16.0 through 1.16.5; 1.15.0 through 1.15.11; 1.14.0 through 1.14.15; 1.13.0 through 1.13.18. micrometer-jetty12 1.16.0 through 1.16.5; 1.15.0 through 1.15.11; 1.14.0 through 1.14.15; 1.13.0 through 1.13.18.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-40984 is a denial-of-service vulnerability in Micrometer's HTTP request handling. The vulnerability arises from improper handling of crafted HTTP requests, resulting in resource exhaustion or uncontrolled processing. The affected attack vector is network-based with low complexity and no privileges required. The flaw maps to CWE-400 (Uncontrolled Resource Consumption) and CWE-770 (Allocation of Resources Without Limits or Throttling), indicating the application fails to adequately restrict resource usage in response to malicious input. The CVSS 3.1 score of 7.5 (HIGH) reflects the high availability impact with no confidentiality or integrity compromise.

Business impact

Organizations relying on Micrometer for metrics collection and monitoring face potential service disruption. Since Micrometer is widely integrated into observability stacks, exploitation could degrade or disable monitoring infrastructure, complicating incident detection and response. Downstream applications using affected Micrometer versions may experience intermittent availability issues if the library is exploited. For operations-critical environments, this could indirectly impair system visibility during security events.

Affected systems

Micrometer-core versions 1.16.0–1.16.5, 1.15.0–1.15.11, 1.14.0–1.14.15, 1.13.0–1.13.18, and 1.9.0–1.9.17 are affected. Micrometer-jetty11 versions 1.16.0–1.16.5, 1.15.0–1.15.11, 1.14.0–1.14.15, and 1.13.0–1.13.18 are affected. Micrometer-jetty12 versions 1.16.0–1.16.5, 1.15.0–1.15.11, 1.14.0–1.14.15, and 1.13.0–1.13.18 are affected. Any application or service embedding these versions of Micrometer is vulnerable. Check your dependency inventory and build manifests to identify exposure.

Exploitability

This vulnerability is readily exploitable. It requires only network access, no authentication, and low attack complexity. An attacker can craft malicious HTTP requests and send them directly to any exposed Micrometer endpoint without special privileges or user interaction. The attack can be launched remotely, making it practical for widespread exploitation. No active exploitation in the wild is currently tracked in CISA's KEV catalog, but the attack profile suggests low barriers to weaponization.

Remediation

Upgrade affected Micrometer libraries to patched versions. Consult the official Micrometer project releases and security advisories to identify fixed versions for each affected line (1.9, 1.13, 1.14, 1.15, 1.16). In the interim, restrict network exposure of Micrometer HTTP endpoints through network segmentation or firewall rules, and monitor incoming HTTP traffic for suspicious patterns targeting metrics endpoints.

Patch guidance

Verify and apply the latest security patches from the Micrometer project for your currently deployed versions. Review the official release notes and security advisories at the Micrometer GitHub repository or Maven Central to confirm patch availability and compatibility with your environment. Test patches in a staging environment before production deployment to ensure no breaking changes. Prioritize upgrades for internet-facing or DMZ-deployed instances.

Detection guidance

Monitor for unusual HTTP request patterns targeting Micrometer metrics endpoints, including requests with abnormal headers, excessive payload sizes, or repeated connection attempts. Enable request logging and alert on HTTP 400/500 errors or server timeouts from metrics collection endpoints. Implement rate limiting on metrics endpoints to mitigate resource exhaustion. Use Web Application Firewalls (WAF) to filter crafted HTTP requests before they reach Micrometer. Analyze application logs and resource utilization (CPU, memory, threads) for sudden spikes coinciding with metrics collection activity.

Why prioritize this

This vulnerability merits immediate attention due to its HIGH severity rating and low-complexity exploit profile. The network-accessible, unauthenticated nature of the attack, combined with high availability impact, makes it a credible threat to operational continuity. Although not yet in active exploitation campaigns, the straightforward attack vector and widespread use of Micrometer in Java ecosystems warrants rapid patch deployment.

Risk score, explained

CVE-2026-40984 scores 7.5 (HIGH) under CVSS 3.1. The network attack vector (AV:N), low attack complexity (AC:L), and absence of privilege or user interaction requirements (PR:N/UI:N) enable easy exploitation. The high availability impact (A:H) reflects the denial-of-service capability, while no confidentiality or integrity impact (C:N/I:N) limits the score ceiling. The unchanged scope (S:U) indicates the vulnerability does not affect other systems beyond the vulnerable component.

Frequently asked questions

What versions of Micrometer need to be patched?

Micrometer-core 1.9.0–1.9.17, 1.13.0–1.13.18, 1.14.0–1.14.15, 1.15.0–1.15.11, and 1.16.0–1.16.5 are affected. Additionally, micrometer-jetty11 and micrometer-jetty12 within versions 1.13.0–1.13.18, 1.14.0–1.14.15, 1.15.0–1.15.11, and 1.16.0–1.16.5 require patching. Verify your current version in your build tool (Maven, Gradle) and check the Micrometer release notes for fixed versions.

Does this vulnerability require authentication to exploit?

No. The vulnerability is unauthenticated. An attacker on the network can send crafted HTTP requests without logging in or providing credentials, making it a particularly dangerous threat for internet-facing or unsegmented applications.

Is there a workaround if I cannot patch immediately?

Yes. Restrict network access to Micrometer metrics endpoints using firewall rules or network segmentation. Disable or protect HTTP endpoints if not strictly necessary for your observability pipeline. Implement rate limiting and request filtering at the network or WAF layer to block malicious request patterns. These controls reduce risk while you plan and execute patching.

Will patching Micrometer break my application?

Patches are designed to be backward-compatible. However, test all patches in a staging environment that mirrors your production configuration before deploying to production. Review the release notes for any breaking changes or configuration adjustments specific to your version and application.

This analysis is provided for informational purposes to assist cybersecurity professionals in vulnerability assessment and risk management. Patch version numbers and availability dates must be verified against official Micrometer project advisories and release notes. CVSS scores and severity ratings reflect current data but may be updated by NVD or the vendor. This explainer does not constitute legal advice, and organizations should consult their security teams and vendor advisories before making patching decisions. No exploit code or weaponized proof-of-concept is included or recommended for testing this vulnerability outside of controlled, authorized environments. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).