Micrometer HTTP server instrumentations DoS vulnerability_CVE-2026-40984

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Description

In Micrometer, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.

Affected versions:
micrometer-core 1.16.0 through 1.16.5; 1.15.0 through 1.15.11; 1.14.0 through 1.14.15; 1.13.0 through 1.13.18; 1.9.0 through 1.9.17.
micrometer-jetty11 1.16.0 through 1.16.5; 1.15.0 through 1.15.11; 1.14.0 through 1.14.15; 1.13.0 through 1.13.18.
micrometer-jetty12 1.16.0 through 1.16.5; 1.15.0 through 1.15.11; 1.14.0 through 1.14.15; 1.13.0 through 1.13.18.

Basic Information

ID CVE-2026-40984

Source vmware

Published Jun 9, 2026 at 03:47

Affected Product

Vendor Spring

Product Micrometer

Version 1.16.0

Affected Versions Spring Micrometer 1.16.0
Spring Micrometer 1.15.0
Spring Micrometer 1.14.0
Spring Micrometer 1.13.0
Spring Micrometer 1.9.0
Spring Micrometer 1.16.0
Spring Micrometer 1.15.0
Spring Micrometer 1.14.0
Spring Micrometer 1.13.0
Spring Micrometer 1.16.0
Spring Micrometer 1.15.0
Spring Micrometer 1.14.0
Spring Micrometer 1.13.0

CWE Classification

CWE-400

References

spring.io /security/cve-2026-40984

{
    "lastseen": "",
    "description": "In Micrometer, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.\n\nAffected versions:\nmicrometer-core 1.16.0 through 1.16.5; 1.15.0 through 1.15.11; 1.14.0 through 1.14.15; 1.13.0 through 1.13.18; 1.9.0 through 1.9.17.\nmicrometer-jetty11 1.16.0 through 1.16.5; 1.15.0 through 1.15.11; 1.14.0 through 1.14.15; 1.13.0 through 1.13.18.\nmicrometer-jetty12 1.16.0 through 1.16.5; 1.15.0 through 1.15.11; 1.14.0 through 1.14.15; 1.13.0 through 1.13.18.",
    "published": "2026-06-09T03:47:46.447Z",
    "modified": "2026-06-09T03:47:46.447Z",
    "type": "cve",
    "title": "Micrometer HTTP server instrumentations DoS vulnerability",
    "source": "vmware",
    "references": "https://spring.io/security/cve-2026-40984",
    "id": "CVE-2026-40984",
    "bulletinFamily": "",
    "cwe": [
        "CWE-400"
    ],
    "cvelist": null,
    "sourceData": "Spring Micrometer 1.16.0\nSpring Micrometer 1.15.0\nSpring Micrometer 1.14.0\nSpring Micrometer 1.13.0\nSpring Micrometer 1.9.0\nSpring Micrometer 1.16.0\nSpring Micrometer 1.15.0\nSpring Micrometer 1.14.0\nSpring Micrometer 1.13.0\nSpring Micrometer 1.16.0\nSpring Micrometer 1.15.0\nSpring Micrometer 1.14.0\nSpring Micrometer 1.13.0",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Micrometer",
    "version": "1.16.0",
    "vendor": "Spring",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}