Serial number: AV26-558
Date: June 9, 2026
On June 8, 2026, Spring published security advisories to address vulnerabilities in the following products:
- Micrometer / Micrometer-core / jetty11 / jetty12 – multiple versions
- Spring LDAP – multiple versions
- Spring Framework – multiple versions
The Cyber Centre encourages users and administrators to review the provided web links and apply the necessary updates.
- CVE-2026-40984: Micrometer HTTP server instrumentations DoS vulnerability
- CVE-2026-40983: Micrometer gRPC server instrumentation DoS vulnerability
- CVE-2026-41720: Authentication Bypass with Empty Password in Spring LDAP
- CVE-2026-41842: Spring Framework Denial of Service via Versioned Resources in Spring MVC and WebFlux
- Spring Security Advisories