Description
Spring Cloud Config allows applications to serve arbitrary text and binary files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack.
Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.
Published: 2026-05-07
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Spring Cloud Config enables applications to serve arbitrary text and binary files via the spring-cloud-config-server module. A specially crafted URL can trigger a directory traversal exploit, allowing an attacker to access and download files outside the intended configuration directory. The flaw directly compromises confidentiality by exposing potentially sensitive files on the server, and could enable further attacks if those files contain secrets or executable code.

Affected Systems

The affected product is Spring Cloud Config. Versions vulnerable include 3.1.0 through 3.1.13, 4.1.0 through 4.1.9, 4.2.0 through 4.2.6, 4.3.0 through 4.3.2, and 5.0.0 through 5.0.2. All affected releases use the spring-cloud-config-server module. Users on Enterprise Support configurations should upgrade to 3.1.14 or later, 4.1.10 or later, 4.2.7 or later, 4.3.3 or later, and 5.0.3 or later, respectively.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.1, indicating a high severity. The EPSS score is not available, but the lack of a KEV listing does not diminish the potential impact. The attack requires sending a crafted request to the Config Server over the network; the exploit can be performed by any user who can reach the server’s endpoint. Because the flaw allows reading of arbitrary files, an adversary could acquire confidential data or use the information to facilitate additional attacks. Given the high CVSS score and the ability to exploit the flaw remotely, the risk is significant.

Generated by OpenCVE AI on May 7, 2026 at 05:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Spring Cloud Config to a fixed version (≥3.1.14, 4.1.10, 4.2.7, 4.3.3, or 5.0.3 as appropriate).
  • Restrict network access to the Config Server API so that only trusted clients can reach it.
  • Audit the configuration to ensure that file path validation is enforced and that the server does not expose unintended directories.

Generated by OpenCVE AI on May 7, 2026 at 05:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://spring.io/security/cve-2026-40982 cve-icon cve-icon
History

Thu, 07 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Spring
Spring spring Cloud Config
Vendors & Products Spring
Spring spring Cloud Config

Thu, 07 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 07 May 2026 05:45:00 +0000

Type Values Removed Values Added
Title Unauthorized File Disclosure via Directory Traversal in Spring Cloud Config Server

Thu, 07 May 2026 04:15:00 +0000

Type Values Removed Values Added
Description Spring Cloud Config allows applications to serve arbitrary text and binary files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Spring Spring Cloud Config
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-05-07T12:55:59.204Z

Reserved: 2026-04-16T02:19:04.616Z

Link: CVE-2026-40982

cve-icon Vulnrichment

Updated: 2026-05-07T12:55:56.355Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-07T04:16:24.790

Modified: 2026-05-07T14:56:04.523

Link: CVE-2026-40982

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T21:25:10Z

Weaknesses