Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN437
_____________________________________________________________________

DATE                : 28/04/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Spring gRPC versions prior to 1.0.3.

=====================================================================
https://spring.io/security/cve-2026-40969/
https://spring.io/security/cve-2026-40968/
_____________________________________________________________________

CVE-2026-40969: Spring gRPC AuthenticationException message reflected
to remote client

LOW | APRIL 28, 2026 | CVE-2026-40969

Description

The raw message of every server-side AuthenticationException is
returned to the unauthenticated remote caller in the gRPC status
description. This allows an attacker to obtain information about
the authentication failure, which may be useful for further
attacks.

Affected Spring Products and Versions

Spring gRPC:

    1.0.0 - 1.0.2
    Older, unsupported versions are also affected.


Mitigation

Users of affected versions should upgrade to the corresponding fixed
version.

Affected version(s) 	Fix version 	Availability

1.0.x 	1.0.3 	OSS


No further mitigation steps are necessary.


References

    https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N&version=3.1


History

    2026-04-28: Initial vulnerability report published.

_____________________________________________________________________

CVE-2026-40968: Spring gRPC SecurityContext leaks across requests on
authorization failure

MEDIUM | APRIL 28, 2026 | CVE-2026-40968
Description

When an authenticated user is denied access to a gRPC method, their
authenticated identity remains bound to the gRPC worker thread and
can be inherited by a subsequent unauthenticated request on the same
thread. This may allow the subsequent user to gain escalated
permissions.


Affected Spring Products and Versions

Spring gRPC:

    1.0.0 - 1.0.2
    Older, unsupported versions are also affected.

Mitigation

Users of affected versions should upgrade to the corresponding
fixed version.


Affected version(s) 	Fix version 	Availability

1.0.x 	1.0.3 	OSS

No further mitigation steps are necessary.


References

    https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N&version=3.1


History

    2026-04-28: Initial vulnerability report published.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================