VYPR

Spring Cloud Config

by VMware

Source repositories

CVEs (4)

  • CVE-2026-40982CriMay 7, 2026
    risk 0.52cvss 9.1epss 0.01

    Spring Cloud Config allows applications to serve arbitrary text and binary files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack. Spring Cloud Config…

  • CVE-2026-40981HigMay 7, 2026
    risk 0.42cvss 7.5epss 0.00

    When using Google Secrets Manager as a backend for the Spring Cloud Config server a client can craft a request to the config server potentially exposing secrets from unintended GCP projects. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to…

  • CVE-2026-41002HigMay 7, 2026
    risk 0.40cvss 7.2epss 0.00

    The base directory (`spring.cloud.config.server.git.basedir`) used by the Spring Cloud Config Server to clone Git repositories to is susceptible to time-of-check-time-of-use (TOCTOU) attacks. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to…

  • CVE-2026-41004MedMay 7, 2026
    risk 0.22cvss 4.4epss 0.00

    When enabling trace logging in Spring Cloud Config Server sensitive information was placed in plain text in the logs. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x:…