EXECUTIVE SUMMARY:
A set of flaws in Spring Cloud Config Server can lead to severe data exposure, including arbitrary file access and leakage of sensitive cloud credentials such as Google Cloud Platform (GCP) secrets. The most serious issue is a directory traversal vulnerability that allows attackers to manipulate request URLs and read files outside the intended configuration directory. Another high-risk flaw affects integrations with GCP Secret Manager, where improper isolation between projects can allow unauthorized access to secrets from other GCP projects connected to the same Config Server. Additional issues include a TOCTOU race condition in Git-based repositories and plaintext exposure of sensitive data in logs when trace logging is enabled. These flaws collectively impact multiple Spring Cloud Config versions and pose a high risk to organizations using centralized configuration for microservices. CVE-2026-40982 with a CVSS score of 9.1 – The flaw exists in the spring-cloud-config-server module, allowing applications to serve text and binary files. An attacker can exploit this by sending a request with a “specially crafted URL” to trigger a directory traversal attack, reading arbitrary files from the server’s filesystem that they should not have access to. CVE-2026-40981 with a CVSS score of 7.5 – It is an Improper isolation in Google Secret Manager integration allows clients to access secrets from other GCP projects linked to the same Config Server. CVE-2026-41002 with a CVSS score of 7.2 – The base directory used by the Config Server to clone Git repositories is susceptible to a Time-of-Check-Time-of-Use attack, allowing an attacker with local access to potentially manipulate the directory between the time it is checked and the time it is used, leading to unauthorized file operations. CVE-2026-41004 with a CVSS score of 4.4 – When trace logging was enabled, the Config Server inadvertently placed sensitive information in plain text within the application logs, allowing anyone with log access to view credentials or secrets without authorization.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A set of flaws in Spring Cloud Config Server can lead to severe data exposure, including arbitrary file access and leakage of sensitive cloud credentials such as Google Cloud Platform (GCP) secrets. The most serious issue is a directory traversal vulnerability that allows attackers to manipulate request URLs and read files outside the intended configuration directory. Another high-risk flaw affects integrations with GCP Secret Manager, where improper isolation between projects can allow unauthorized access to secrets from other GCP projects connected to the same Config Server. Additional issues include a TOCTOU race condition in Git-based repositories and plaintext exposure of sensitive data in logs when trace logging is enabled. These flaws collectively impact multiple Spring Cloud Config versions and pose a high risk to organizations using centralized configuration for microservices. CVE-2026-40982 with a CVSS score of 9.1 – The flaw exists in the spring-cloud-config-server module, allowing applications to serve text and binary files. An attacker can exploit this by sending a request with a “specially crafted URL” to trigger a directory traversal attack, reading arbitrary files from the server’s filesystem that they should not have access to. CVE-2026-40981 with a CVSS score of 7.5 – It is an Improper isolation in Google Secret Manager integration allows clients to access secrets from other GCP projects linked to the same Config Server. CVE-2026-41002 with a CVSS score of 7.2 – The base directory used by the Config Server to clone Git repositories is susceptible to a Time-of-Check-Time-of-Use attack, allowing an attacker with local access to potentially manipulate the directory between the time it is checked and the time it is used, leading to unauthorized file operations. CVE-2026-41004 with a CVSS score of 4.4 – When trace logging was enabled, the Config Server inadvertently placed sensitive information in plain text within the application logs, allowing anyone with log access to view credentials or secrets without authorization.[emaillocker id="1283"]
RECOMMENDATION:
We strongly recommend you update Spring Cloud Config Server to below version: CVE-2026-40982: https://spring.io/security/cve-2026-40982 CVE-2026-40981: https://spring.io/security/cve-2026-40981 CVE-2026-41002: https://spring.io/security/cve-2026-41002 CVE-2026-41004: https://spring.io/security/cve-2026-41004
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/critical-spring-cloud-config-flaws-expose-arbitrary-files-and-gcp-secrets/