PatchSiren cyber security CVE debrief
CVE-2026-40984 Spring CVE debrief
CVE-2026-40984 is a high-severity vulnerability in Micrometer, a popular metrics library for Java applications. The vulnerability allows an attacker to cause a denial-of-service (DoS) condition by providing specially crafted HTTP requests. The affected versions of Micrometer include micrometer-core 1.16.0 through 1.16.5, 1.15.0 through 1.15.11, 1.14.0 through 1.14.15, 1.13.0 through 1.13.18, and 1.9.0 through 1.9.17, as well as micrometer-jetty11 and micrometer-jetty12 with similar version ranges.
- Vendor
- Spring
- Product
- Micrometer
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-09
Who should care
Users of Micrometer, particularly those using the affected versions, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability has a CVSS score of 7.5 and is classified as HIGH severity. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating that the vulnerability can be exploited remotely with low attack complexity and no privileges or user interaction required.
Defensive priority
High
Recommended defensive actions
- Upgrade to a non-affected version of Micrometer.
- Implement additional security measures to detect and prevent DoS attacks.
Evidence notes
The CVE record and NVD detail can be found at [cve-org] and [nvd], respectively. Additional information is available at [ref-4].
Official resources
-
CVE-2026-40984 CVE record
CVE.org
-
CVE-2026-40984 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-40984 was published on 2026-06-09T05:16:34.780Z and modified on 2026-06-09T13:49:39.993Z.