PT-2026-38329 · Google+1 · Google Secrets Manager+1
Published
2026-05-07
·
Updated
2026-05-12
·
CVE-2026-40981
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Spring Cloud Config versions 3.1.0 through 3.1.13
Spring Cloud Config versions 4.1.0 through 4.1.9
Spring Cloud Config versions 4.2.0 through 4.2.6
Spring Cloud Config versions 4.3.0 through 4.3.2
Spring Cloud Config versions 5.0.0 through 5.0.2
Description
When using Google Secrets Manager as a backend for the Spring Cloud Config server, a client can craft a request to the config server that potentially exposes secrets from unintended GCP projects.
Recommendations
Upgrade versions 3.1.0 through 3.1.13 to 3.1.14 or greater.
Upgrade versions 4.1.0 through 4.1.9 to 4.1.10 or greater.
Upgrade versions 4.2.0 through 4.2.6 to 4.2.7 or greater.
Upgrade versions 4.3.0 through 4.3.2 to 4.3.3 or greater.
Upgrade versions 5.0.0 through 5.0.2 to 5.0.3 or greater.
Fix
IDOR
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Google Secrets Manager
Spring Cloud Config