< Back

CVE-2026-40983

Updated on 08 Jun 2026

Severity

7.5 High severity

Details

CVSS score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE ID: CWE-400 Uncontrolled Resource Consumption
Affected product
Affected component
Links: NIST CIRCL RHEL Ubuntu

Overview

About vulnerability

SVG ImageDescription

In Micrometer, it is possible for a user to provide specially crafted gRPC requests that may cause a denial-of-service (DoS) condition.

Specifically, an application is vulnerable when all of the following are true:

the application uses a vulnerable version of io.micrometer:micrometer-core
an ObservationRegistry is configured in the application and it records observations
DefaultMeterObservationHandler is configured to output metrics from Observations or the user has a custom ObservationHandler that outputs metrics similarly to DefaultMeterObservationHandler
the application uses ObservationGrpcServerInterceptor to instrument its gRPC server

SVG ImageAffected Products and Versions

Micrometer:

1.16.0 - 1.16.5
1.15.0 - 1.15.11

Older versions than 1.15.0 are not affected.

SVG ImageMitigation

Users of affected versions should upgrade to the corresponding fixed version.

Affected version(s)	Fix version	Availability
1.16.x	1.16.6	OSS
1.15.x	1.15.12	OSS

No further mitigation steps are necessary.

SVG ImageCredit

The issue was identified and responsibly reported by Yu Bao (@August829) - [email protected] – who works for paypal.com.

SVG ImageReferences

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1

SVG ImageHistory

2026-06-08: Initial vulnerability report published.

Details

SVG ImageDescription

In Micrometer, it is possible for a user to provide specially crafted gRPC requests that may cause a denial-of-service (DoS) condition.

Specifically, an application is vulnerable when all of the following are true:

the application uses a vulnerable version of io.micrometer:micrometer-core
an ObservationRegistry is configured in the application and it records observations
DefaultMeterObservationHandler is configured to output metrics from Observations or the user has a custom ObservationHandler that outputs metrics similarly to DefaultMeterObservationHandler
the application uses ObservationGrpcServerInterceptor to instrument its gRPC server

SVG ImageAffected Products and Versions

Micrometer:

1.16.0 - 1.16.5
1.15.0 - 1.15.11

Older versions than 1.15.0 are not affected.

SVG ImageMitigation

Users of affected versions should upgrade to the corresponding fixed version.

Affected version(s)	Fix version	Availability
1.16.x	1.16.6	OSS
1.15.x	1.15.12	OSS

No further mitigation steps are necessary.

SVG ImageCredit

The issue was identified and responsibly reported by Yu Bao (@August829) - [email protected] – who works for paypal.com.

SVG ImageReferences

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1

SVG ImageHistory

2026-06-08: Initial vulnerability report published.

Release info

Copy page link

Open as a page

Advisory

CLSA-2025:1748945064

Operating system

CentOS 8.4 ELS

Published date

Nov 16, 2014

Project

Linux

Version

2.11.0-1~ubuntu16.04.1+tuxcare.els12

How to fix

Update command:

apt-get update
apt-get --only-upgrade install ansible*

Changelog

Insufficiently Random Passwords Leakage
Debian/patches/CVE-2020-10729.patch: Fix caching of Jinja2 expressions to prevent caching dynamic results
CVE-2020-10729

Updated packages

ansible_2.5.1+dfsg-1ubuntu0.1+tuxcare.els6_all.deb

CVE-2026-40983

Severity

Details

Overview

About vulnerability

SVG ImageDescription

SVG ImageAffected Products and Versions

SVG ImageMitigation

SVG ImageCredit

SVG ImageReferences

SVG ImageHistory

Details

SVG ImageDescription

SVG ImageAffected Products and Versions

SVG ImageMitigation

SVG ImageCredit

SVG ImageReferences

SVG ImageHistory

Statement

Subscribe to updates

Unsubscribe

Contact us

Message Delivered!