Ddos 
The Spring Cloud Config project, a vital component for centralizing external configuration in distributed systems, has released a series of high-impact security updates. The release addresses four distinct vulnerabilities, including a Critical directory traversal flaw that could allow attackers to access sensitive files on the host server.
Organizations utilizing Spring Cloud Config to manage application secrets and configurations are urged to upgrade to the latest versions to mitigate these risks.
The most severe vulnerability in this update is CVE-2026-40982, which carries a CVSS score of 9.1. The flaw exists in the spring-cloud-config-server module, which allows applications to serve text and binary files.
An attacker can exploit this by sending a request with a “specially crafted URL” to trigger a directory traversal attack. If successful, this would allow the attacker to read arbitrary files from the server’s filesystem that they should not have access to.
For organizations using Google Secrets Manager as a backend, CVE-2026-40981 presents a significant “High” severity risk. Due to improper isolation, a client can craft a request that potentially exposes secrets from unintended GCP projects that the Config Server has access to.
This vulnerability effectively breaks the multi-project security boundary, allowing an actor to exfiltrate credentials or API keys belonging to different environments or departments.
The advisory also remediates two additional vulnerabilities targeting the integrity and confidentiality of the configuration environment:
- Git Repository TOCTOU (CVE-2026-41002): The base directory used by the Config Server to clone Git repositories is susceptible to a Time-of-Check-Time-of-Use (TOCTOU) attack. An attacker with local access could potentially manipulate the directory between the time it is checked and the time it is used, leading to unauthorized file operations.
- Plaintext Log Exposure (CVE-2026-41004): When trace logging was enabled, the Config Server inadvertently placed sensitive information in plain text within the application logs. This could allow anyone with log access to view credentials or secrets without authorization.
These vulnerabilities impact the 3.1.x, 4.1.x, 4.2.x, 4.3.x, and 5.0.x release lines, as well as older unsupported versions.
| CVE ID | Severity | Vulnerability Type | Fixed OSS Version |
| CVE-2026-40982 | 9.1 (Critical) | Directory Traversal | 4.3.3, 5.0.3 |
| CVE-2026-40981 | 7.5 (High) | Secret Exposure (GCP) | 4.3.3, 5.0.3 |
| CVE-2026-41002 | 7.2 (High) | TOCTOU Attack | 4.3.3, 5.0.3 |
| CVE-2026-41004 | 4.4 (Medium) | Sensitive Log Leak | 4.3.3, 5.0.3 |
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
