CVE-2026-40968
Published: 28 April 2026
Summary
CVE-2026-40968 is a medium-severity Improper Isolation or Compartmentalization (CWE-653) vulnerability in Vmware Spring Grpc. Its CVSS base score is 4.2 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 10.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Implements a reference monitor to enforce access control policies without allowing authenticated identity to linger and be inherited by subsequent unauthenticated requests on the same gRPC worker thread.
Enforces approved authorizations for access to system resources, preventing privilege escalation from uncleared authentication context after gRPC method access denial.
Prevents unauthorized transfer of authentication identity via shared system resources like gRPC worker threads reused between authenticated and unauthenticated requests.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in Spring gRPC allows low-privilege authenticated user to trigger access denial and inherit elevated identity on worker thread for subsequent requests, directly enabling exploitation for privilege escalation.
NVD Description
When an authenticated user is denied access to a gRPC method, their authenticated identity remains bound to the gRPC worker thread and can be inherited by a subsequent unauthenticated request on the same thread. This may allow the subsequent user…
more
to gain escalated permissions. Affected versions: Spring gRPC: 1.0.0 - 1.0.2 (fixed in 1.0.3). Older, unsupported versions are also affected.
Deeper analysisAI
CVE-2026-40968 affects Spring gRPC versions 1.0.0 through 1.0.2, as well as older unsupported versions. The vulnerability arises when an authenticated user is denied access to a gRPC method, causing their authenticated identity to remain bound to the gRPC worker thread. This identity can then be inherited by a subsequent unauthenticated request processed on the same thread, potentially enabling escalated permissions. Published on 2026-04-28, it carries a CVSS v3.1 base score of 4.2 (AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N) and maps to CWE-653.
Exploitation requires an attacker with low privileges (PR:L) who can authenticate and trigger a gRPC method access denial over the network (AV:N). The lingering identity on the worker thread allows a follow-up unauthenticated request to inherit the elevated credentials, achieving limited confidentiality and integrity impacts (C:L/I:L) without availability disruption. High attack complexity (AC:H) is needed, with no user interaction required (UI:N) and no scope change (S:U).
Spring gRPC addresses the issue in version 1.0.3. Security practitioners should upgrade affected deployments and consult the official advisory at https://spring.io/security/cve-2026-40968 for full mitigation guidance and verification steps.
Details
- CWE(s)