CVE-2026-40984— Micrometer HTTP server instrumentations DoS vulnerability
Possible ATT&CK Techniques 1AI
T1496 · Resource HijackingAffected Version Matrix 13
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Spring | Micrometer | 1.16.0< 1.16.6 | affected |
1.15.0< 1.15.12 | affected | ||
1.14.0< 1.14.16 | affected | ||
1.13.0< 1.13.19 | affected | ||
1.9.0< 1.9.18 | affected | ||
1.16.0< 1.16.6 | affected | ||
1.15.0< 1.15.12 | affected | ||
1.14.0< 1.14.16 | affected | ||
| … +5 more rows | |||
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-40984
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Micrometer HTTP server instrumentations DoS vulnerability
Source: NVD (National Vulnerability Database)
Vulnerability Description
In Micrometer, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Affected versions: micrometer-core 1.16.0 through 1.16.5; 1.15.0 through 1.15.11; 1.14.0 through 1.14.15; 1.13.0 through 1.13.18; 1.9.0 through 1.9.17. micrometer-jetty11 1.16.0 through 1.16.5; 1.15.0 through 1.15.11; 1.14.0 through 1.14.15; 1.13.0 through 1.13.18. micrometer-jetty12 1.16.0 through 1.16.5; 1.15.0 through 1.15.11; 1.14.0 through 1.14.15; 1.13.0 through 1.13.18.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
未加控制的资源消耗(资源穷尽)
Source: NVD (National Vulnerability Database)
Vulnerability Title
VMware Micrometer 资源管理错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
VMware Micrometer是美国威睿(VMware)公司的一个应用监控指标采集框架。 VMware Micrometer存在资源管理错误漏洞,该漏洞源于用户可提供特制HTTP请求,可能导致拒绝服务。以下版本受到影响:micrometer-core 1.16.0至1.16.5版本、1.15.0至1.15.11版本、1.14.0至1.14.15版本、1.13.0至1.13.18版本和1.9.0至1.9.17版本,micrometer-jetty11 1.16.0至1.16.5版本、1.15.0至1.1
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Spring | Micrometer | 1.16.0 ~ 1.16.6 | - | |
| Spring | Micrometer | 1.16.0 ~ 1.16.6 | - | |
| Spring | Micrometer | 1.16.0 ~ 1.16.6 | - |
II. Public POCs for CVE-2026-40984
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-40984
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-40984 (1)
Same Patch Batch · Spring · 2026-06-09 · 51 CVEs total
| CVE-2026-41717 | 8.1 HIGH | Spring Data MongoDB - SpEL Expression Injection via Annotated Query Parameter Binding |
| CVE-2026-41732 | 8.1 HIGH | In Spring for Apache Pulsar, overly broad trusted-package matching in header mapper expose |
| CVE-2026-41855 | 8.1 HIGH | Spring Framework Unsafe Deserialization via Jackson JMS Converters |
| CVE-2026-41729 | 8.1 HIGH | Spring Data REST SpEL Injection via Map Key in JSON Patch |
| CVE-2026-41731 | 8.1 HIGH | In Spring for Apache Kafka, overly broad trusted-package matching in header mappers expose |
| CVE-2026-41003 | 7.6 HIGH | Unencoded HTML Outputs in Spring Security May Allow Cross-Site Scripting |
| CVE-2026-41728 | 7.5 HIGH | Spring Data REST JSON Patch bypasses Jackson read-only property protection on nested objec |
| CVE-2026-40988 | 7.5 HIGH | Unbounded DEFLATE Inflation in SAML 2.0 Service Provider |
| CVE-2026-40983 | 7.5 HIGH | Micrometer gRPC server instrumentation DoS vulnerability |
| CVE-2026-41850 | 7.5 HIGH | Spring Framework Algorithmic Denial of Service via SpEL Expressions |
| CVE-2026-41716 | 7.5 HIGH | Spring Data web support unbounded negative-result cache keyed on attacker-supplied propert |
| CVE-2026-41695 | 7.5 HIGH | Denial of Service in Spring Data Commons Property Path Resolution |
| CVE-2026-41849 | 7.5 HIGH | Spring Framework Denial of Service via Integer Overflow in SpEL Expressions |
| CVE-2026-41006 | 7.5 HIGH | Spring HATEOAS Collection+JSON/UBER deserializers do not honor Jackson configuration |
| CVE-2026-41007 | 7.5 HIGH | Spring HATEOAS heap exhaustion through unbounded internal caching |
| CVE-2026-41842 | 7.5 HIGH | Spring Framework Denial of Service via Versioned Resources in Spring MVC and WebFlux |
| CVE-2026-41720 | 7.4 HIGH | Authentication Bypass with Empty Password in Spring LDAP |
| CVE-2026-40993 | 7.3 HIGH | Unfiltered Java Native Deserialization of SAML 2.0 Asserting Party Credentials BLOB Databa |
| CVE-2026-41845 | 7.1 HIGH | Spring Framework Cross-site Scripting via JavaScriptUtils |
| CVE-2026-47838 | 6.8 MEDIUM | Unauthorized User Impersonation when Using X.509 Client Certificates |
Showing top 20 of 51 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same vendor: Spring
- CVE-2026-47825
Spring Cloud Gateway Server Forwards Headers from Untrusted - CVE-2026-41708
Spring Cloud Sleuth instrumentation of Spring TX DoS vulnera - CVE-2026-47835
Spring AI vector store metadata filtering to handle special - CVE-2026-41856
Spring GraphQL Annotation Detection Vulnerability - CVE-2026-41700
Cross-Site WebSocket Hijacking in Spring for GraphQL
Same weakness: CWE-400
- CVE-2026-45357
LiquidJS: Memory and render limit bypass via unbounded width - CVE-2026-44645
LiquidJS has a renderLimit DoS guard bypass via empty `{% fo - CVE-2024-24769
Vantage6: No limit on emails sent for password/MFA reset - CVE-2026-48990
joserfc: b64=false RFC7797 JWS payloads bypass JWSRegistry p - CVE-2026-48988
markdown-it: Quadratic complexity DoS in smartquotes rule vi
V. Comments for CVE-2026-40984
No comments yet