CVE-2026-41002

Name of the Vulnerable Software and Affected Versions Spring Cloud Config versions 3.1.0 through 3.1.13 Spring Cloud Config versions 4.1.0 through 4.1.9 Spring Cloud Config versions 4.2.0 through 4.2.6 Spring Cloud Config versions 4.3.0 through 4.3.2 Spring Cloud Config versions 5.0.0 through 5.0.2

Description The base directory spring.cloud.config.server.git.basedir used by the Spring Cloud Config Server to clone Git repositories is susceptible to time-of-check-time-of-use (TOCTOU) attacks. TOCTOU is a race condition where a system checks the state of a resource and then performs an action based on that state, but the resource is modified between the check and the action.

Recommendations Upgrade versions 3.1.0 through 3.1.13 to 3.1.14 or greater. Upgrade versions 4.1.0 through 4.1.9 to 4.1.10 or greater. Upgrade versions 4.2.0 through 4.2.6 to 4.2.7 or greater. Upgrade versions 4.3.0 through 4.3.2 to 4.3.3 or greater. Upgrade versions 5.0.0 through 5.0.2 to 5.0.3 or greater.