A crafted request to the Spring Cloud Config server, when configured with Google Secrets Manager, can expose secrets from unintended Google Cloud Platform projects. The vulnerability stems from insufficient authorization checks, allowing an attacker to request data tied to other projects and obtain sensitive credentials. The exposed information includes service account keys, passwords, and other secrets that could be leveraged for further compromise. The weakness aligns with CWE-639, Authorization Bypass Through User‑Controlled Key. The likely attack vector is a crafted request from a client possessing network access to the Config server.

Spring Cloud Config from the Spring vendor is affected. Versions 3.1.0 through 3.1.13, 4.1.0 through 4.1.9, 4.2.0 through 4.2.6, 4.3.0 through 4.3.2, and 5.0.0 through 5.0.2 all allow this exploitation. Non‑affected releases begin with 3.1.14, 4.1.10, 4.2.7, 4.3.3, and 5.0.3 respectively. Upgrading to the latest supported patch level prevents secret exposure.

The CVSS score of 7.5 indicates a high severity risk. No EPSS score is available to quantify exploitation probability, and the vulnerability is not listed in the CISA KEV catalog, suggesting it has not yet been widely exploited. Nonetheless, based on the description, the likely attack vector is remote and can be performed by a client with network access to the config server, potentially from an internal or compromised machine. Because secrets are exposed, the impact on confidentiality is significant; an attacker could use the data for lateral movement or to impersonate services.