Security researchers have identified four new vulnerabilities in the Spring Cloud Config Server, ranging from medium to critical severity.
These newly disclosed flaws could allow attackers to access arbitrary files, leak Google Cloud Platform (GCP) secrets, and manipulate system directories. Administrators, please patch your systems immediately to prevent active exploitation.
Spring Vulnerabilities
Critical Directory Traversal Flaw
The most severe issue, CVE-2026-40982, is a critical directory-traversal vulnerability. The spring-cloud-config-server module allows applications to serve arbitrary text and binary files. By sending a specially crafted URL request, an unauthenticated remote attacker can exploit this module to execute a directory traversal attack.
This grants malicious actors unauthorized access to sensitive files stored on the server. Security researchers Swapnil Paliwal, August 829, rash18mi, and the AxiomCode security team responsibly disclosed this critical flaw.
GCP Secret Exposure Risk
A high-severity vulnerability, CVE-2026-40981, affects organizations that use Google Secrets Manager as the backend for the Spring Cloud Config server. A malicious client can craft a specific request to the configuration server that exposes secrets from unintended GCP projects.
If immediate patching is not possible, administrators can mitigate this risk by setting a specific mandatory token flag in their configuration. Enabling spring.cloud.config.server.gcp-secret-manager.token-mandatory=true forces the client to send a valid token, which the system then verifies to ensure authorized access to the requested project’s secrets.
TOCTOU Attack and Logging Issues
Two additional vulnerabilities pose notable risks to the config server environment. Tracked as CVE-2026-41002, a high-severity time-of-check-time-of-use (TOCTOU) vulnerability affects the base directory used to clone Git repositories.
This race condition could allow an attacker to manipulate files during the cloning process. This flaw was discovered and reported by Yu Bao from PayPal.
Additionally, a medium-severity flaw, CVE-2026-41004, exposes sensitive information through application logs. When trace logging is enabled on the server, the system writes sensitive data in plain text directly to log files, creating a significant data exposure risk.
| CVE Identifier | Severity | Description |
|---|---|---|
| CVE-2026-40982 | Critical | Critical Directory Traversal Flaw |
| CVE-2026-40981 | High | GCP Secret Exposure Risk |
| CVE-2026-41002 | High | High-severity time-of-check-time-of-use (TOCTOU) vulnerability |
| CVE-2026-41004 | Medium | Enabling trace logging in the Spring Cloud Config Server |
These vulnerabilities impact multiple branches of Spring Cloud Config, including version 3.1. x, 4.1. x, 4.2.x, 4.3.x, and 5.0. x. Older, unsupported versions also remain vulnerable.
To secure their environments, organizations must upgrade to the appropriate patched versions based on their current release branch. Users on the 4.3. x and 5.0. x branches can access Open Source Software (OSS) patches by upgrading to versions 4.3.3 and 5.0.3, respectively.
Organizations running older branches must maintain an active Enterprise Support agreement with VMware to access the fixed releases, which include versions 3.1.14, 4.1.10, and 4.2.7.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
