VMware’s Spring team disclosed four vulnerabilities in Spring Cloud Config Server on May 6, 2026, including a critical directory-traversal flaw and a high-severity Google Cloud Platform (GCP) secret-exposure vulnerability.
Tracked as CVE-2026-40982, CVE-2026-40981, CVE-2026-41002, and CVE-2026-41004, the flaws affect all actively maintained branches of Spring Cloud Config and demand immediate patching from organizations relying on the framework for centralized configuration management.
The disclosures arrive amid an accelerating wave of Spring CVEs in 2026. The Spring ecosystem published 37 CVEs in March and April alone, more than double all of 2025, with four Critical and 12 High severity issues recorded across Spring Boot, Spring Security, Spring AI, and Spring Cloud.
VMware Spring Cloud Config
The most severe of the four, CVE-2026-40982, carries a critical CVSS rating and targets the spring-cloud-config-server module through a specially crafted URL.
Because the module allows applications to serve arbitrary text and binary files, a successful exploit triggers a directory traversal attack, granting unauthorized read and write access to sensitive files on the underlying file system.
Critically, the attack requires no authentication and can be remotely exploited over the network, making it a high-priority target for opportunistic attackers scanning for exposed Config Server instances.
The flaw was responsibly disclosed by Swapnil Paliwal and the security team at AxiomCode using the AxiomEngine, alongside independent researchers August 829 and rash18mi.
This follows a prior related issue, CVE-2026-22739 (CVSS 8.6), which allowed attackers to abuse the profile parameter to access files outside configured search directories or launch Server-Side Request Forgery (SSRF) attacks.
Rated high severity, CVE-2026-40981 specifically targets cloud-native deployments using Google Secrets Manager as a Spring Cloud Config backend.
A malicious client can craft a request that causes the Config Server to return secrets from entirely unintended GCP projects, effectively breaking project-level isolation in multi-tenant environments.
For organizations running large microservices architectures, this could expose credentials, API keys, and sensitive configuration belonging to separate teams or customers.
As an interim workaround, administrators unable to patch immediately can set spring.cloud.config.server.gcp-secret-manager.token-mandatory=true to enforce token-based access verification per project.
CVE-2026-41002 introduces a time-of-check-time-of-use (TOCTOU) race condition in the base directory used by Spring Cloud Config Server to clone Git repositories.
A privileged attacker can exploit the timing gap between when a directory path is validated and when it is actually used, potentially redirecting file system operations to unintended locations and achieving cross-scope configuration or code injection. Yu Bao of PayPal responsibly identified and reported this high-severity issue.
Rated medium severity, CVE-2026-41004 exposes sensitive information in plain text when trace logging is enabled on the Config Server.
Any attacker or malicious insider with access to log files could harvest plaintext credentials or tokens, making it critical to turn off trace-level logging in production environments, regardless of patching status.
Affected Versions and Patches
All four CVEs affect Spring Cloud Config versions 3.1.x through 5.0.x, as well as older unsupported releases. Fixed versions include 3.1.14 (Enterprise Support), 4.1.10 (Enterprise Support), 4.2.7 (Enterprise Support), 4.3.3 (OSS), and 5.0.3 (OSS).
Security teams should immediately upgrade to the fixed versions, audit production logging configurations to eliminate trace-level output, review GCP Secrets Manager token policies, and treat any publicly exposed Config Server instances as potentially compromised until patched.
No Comment! Be the first one.