Introduction
Micrometer, the default metrics instrumentation library embedded in every Spring Boot application with Actuator enabled, contains a denial of service flaw that allows unauthenticated attackers to exhaust server resources with specially crafted HTTP requests. Given that Spring Boot is the dominant Java application framework in enterprise environments, the blast radius of CVE-2026-40984 extends across financial services, healthcare, government, and virtually any organization running JVM workloads with observability enabled.
Micrometer provides a vendor neutral metrics collection facade for JVM applications, allowing code to be instrumented once and exported to backends like Prometheus, Datadog, Influx, and others. VMware describes it as "the gold standard in observability," and its integration as the default metrics layer in Spring Boot gives it an enormous installed base. Any Spring Boot application with metrics enabled is automatically using Micrometer, making this vulnerability relevant to a significant portion of the Java ecosystem.
Technical Information
CVE-2026-40984 is classified under CWE-400: Uncontrolled Resource Consumption, a weakness where a product fails to properly control the allocation and maintenance of limited resources such as memory, CPU cycles, or connections. CWE-400 is a consistent entry on the CWE Top 25 Most Dangerous Software Weaknesses list, underscoring both its severity and prevalence in real world software.
Root Cause
The vulnerability resides in Micrometer's HTTP server instrumentation layer. When the instrumentation modules process incoming HTTP requests to record metrics, they fail to properly bound resource consumption for certain crafted inputs. According to the Spring advisory, an application is vulnerable when all of the following conditions are true:
- The application uses a vulnerable version of
io.micrometer:micrometer-core,micrometer-jetty11, ormicrometer-jetty12 - The HTTP server instrumentations are configured
- Metrics are being recorded
Three distinct artifacts are affected. The micrometer-jetty11 and micrometer-jetty12 modules instrument the Jetty 11.x and Jetty 12.x HTTP server frameworks respectively, meaning any Spring Boot or JVM application using Jetty as its embedded server with Micrometer metrics enabled is potentially exposed. The micrometer-core artifact provides the foundational instrumentation that these Jetty modules build upon.
CVSS v3.1 Vector Analysis
The CVSS vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H yields a base score of 7.5 (HIGH). The breakdown is worth examining in detail:
| Component | Value | Implication |
|---|---|---|
| Attack Vector | Network | Exploitable remotely over the network |
| Attack Complexity | Low | No specialized conditions required |
| Privileges Required | None | No authentication needed |
| User Interaction | None | No user action required |
| Scope | Unchanged | Impact limited to the vulnerable component |
| Confidentiality | None | No information disclosure |
| Integrity | None | No data modification |
| Availability | High | Complete denial of service |
The most notable attributes are the combination of network accessibility, zero authentication requirement, and complete availability impact. The only mitigating factor in the CVSS scoring is that the vulnerability affects availability alone, with no confidentiality or integrity compromise.
Attack Flow
An attacker can exploit this vulnerability through the following sequence:
- Identify a target service that uses Micrometer HTTP server instrumentation (any Spring Boot application with Actuator metrics and Jetty, or any JVM application using the affected Micrometer modules directly)
- Send specially crafted HTTP requests to the service endpoint
- The Micrometer instrumentation layer processes the request metadata for metrics collection
- The crafted input triggers uncontrolled resource consumption within the instrumentation code
- Server resources are exhausted, resulting in denial of service
No authentication, special timing, or user cooperation is needed. A single properly crafted HTTP request can trigger the resource consumption.
Relationship to CVE-2026-40983
Published the same day (June 8, 2026) by the same researcher, CVE-2026-40983 is a parallel DoS vulnerability in Micrometer's gRPC server instrumentation. Both CVEs share the same CWE-400 classification and the same discoverer: Yu Bao (@August829) from PayPal. This simultaneous disclosure of two related DoS flaws in different Micrometer instrumentation modules reveals a systemic weakness in how the instrumentation layer handles request metadata for metrics collection. The resource consumption attack surface was not adequately bounded in the original implementation across multiple protocol handlers.
Organizations should assess both CVEs simultaneously. Patching one while leaving the other unaddressed leaves residual DoS exposure.
Affected Systems and Versions
The vulnerability affects three Micrometer artifacts across multiple version branches:
micrometer-core:
- 1.16.0 through 1.16.5
- 1.15.0 through 1.15.11
- 1.14.0 through 1.14.15
- 1.13.0 through 1.13.18
- 1.9.0 through 1.9.17
micrometer-jetty11:
- 1.16.0 through 1.16.5
- 1.15.0 through 1.15.11
- 1.14.0 through 1.14.15
- 1.13.0 through 1.13.18
micrometer-jetty12:
- 1.16.0 through 1.16.5
- 1.15.0 through 1.15.11
- 1.14.0 through 1.14.15
- 1.13.0 through 1.13.18
The micrometer-core artifact has the widest affected surface, spanning five major version branches including the older 1.9.x line. The Jetty modules are affected across four branches (1.13.x through 1.16.x). This broad version spread indicates that the underlying flaw has existed in Micrometer's HTTP server instrumentation for an extended period.
Fixed Versions and Availability
| Branch | Fixed Version | Availability |
|---|---|---|
| 1.16.x | 1.16.6 | All OSS users |
| 1.15.x | 1.15.12 | All OSS users |
| 1.14.x | 1.14.16 | VMware Tanzu Spring Enterprise only |
| 1.13.x | 1.13.19 | VMware Tanzu Spring Enterprise only |
| 1.9.x | 1.9.18 | VMware Tanzu Spring Enterprise only |
The Spring advisory confirms that no configuration changes beyond the version upgrade are necessary. Organizations on the 1.14.x, 1.13.x, or 1.9.x branches face a decision: procure VMware Tanzu Spring Enterprise support to access the patch, or migrate to a supported OSS branch (1.15.x or 1.16.x). This two tier remediation landscape creates a cost tension for organizations on older branches, which are often those with the most stability averse change management policies.
Vendor Security History
The Spring ecosystem has experienced multiple security vulnerabilities in 2026, reflecting both the breadth of its codebase and the scrutiny it receives as a widely deployed platform:
| CVE | Product | Severity | Description |
|---|---|---|---|
| CVE-2026-40984 | Micrometer HTTP server | HIGH (7.5) | DoS via crafted HTTP requests |
| CVE-2026-40983 | Micrometer gRPC server | HIGH | DoS via gRPC instrumentation |
| CVE-2026-41842 | Spring Framework | Unspecified | DoS via static resource resolution |
| CVE-2026-40973 | Spring Boot | Unspecified | Predictable temp directory accepted |
| CVE-2026-22732 | Spring Security | Unspecified | HTTP security header bypass |
| CVE-2025-41243 | Spring Cloud Gateway | CVSS 10.0 | Critical vulnerability in Server WebFlux |
The presence of a CVSS 10.0 critical vulnerability in Spring Cloud Gateway demonstrates that the Spring ecosystem is not immune to severe security flaws. The clustering of two Micrometer DoS CVEs on the same day suggests that the Micrometer instrumentation layer had not undergone thorough resource consumption auditing prior to Yu Bao's discovery. Micrometer maintains a dedicated GitHub repository for security advisories at micrometer-metrics/security-advisories, and the Spring team publishes all advisories on spring.io/security.
References
- Spring Advisory: CVE-2026-40984
- Spring Security Advisories
- Canadian Centre for Cyber Security Advisory AV26-558
- CWE-400: Uncontrolled Resource Consumption
- CISA Known Exploited Vulnerabilities Catalog
- Micrometer Documentation
- Micrometer Application Observability
- Micrometer Security Advisories (GitHub)
- Spring Boot Metrics Documentation
- Micrometer: The Gold Standard in Observability (VMware Tanzu)
- VulnCheck: Quantifying 2026 Routinely Targeted Vulnerabilities
- Proofpoint: 2026 Vulnerability Exploitation in the Wild
- Broadcom VMware Acquisition (Form 8-K)
- VMware Tanzu: Various Spring Products Are Attackable (Heise)
- IBM Security Bulletin: VMware Tanzu Spring Framework Vulnerabilities



