CVE-2026-40982

Name of the Vulnerable Software and Affected Versions Spring Cloud Config versions 3.1.0 through 3.1.13 Spring Cloud Config versions 4.1.0 through 4.1.9 Spring Cloud Config versions 4.2.0 through 4.2.6 Spring Cloud Config versions 4.3.0 through 4.3.2 Spring Cloud Config versions 5.0.0 through 5.0.2

Description The spring-cloud-config-server module allows applications to serve arbitrary text and binary files. A malicious user can send a request using a specially crafted URL to perform a directory traversal attack, which is a technique used to access files and directories stored outside the intended folder. Additionally, a GCP secret leak has been identified.

Recommendations Upgrade versions 3.1.0 through 3.1.13 to 3.1.14 or greater. Upgrade versions 4.1.0 through 4.1.9 to 4.1.10 or greater. Upgrade versions 4.2.0 through 4.2.6 to 4.2.7 or greater. Upgrade versions 4.3.0 through 4.3.2 to 4.3.3 or greater. Upgrade versions 5.0.0 through 5.0.2 to 5.0.3 or greater.