Critical Spring Cloud Config Flaws Can Expose Files and GCP Secrets
6 min. read 
Published on
The Spring team has patched four Spring Cloud Config Server vulnerabilities that can expose sensitive files, Google Cloud secrets, Git repository paths, and internal log data. The flaws affect several supported release lines, so teams running Spring Cloud Config Server should upgrade as soon as possible.
The most serious bug, CVE-2026-40982, carries a critical severity rating. It allows a malicious user to send a specially crafted URL that can trigger a directory traversal attack through the Spring Cloud Config Server module.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The remaining issues include a high-severity Google Secret Manager exposure bug, a high-severity Git base directory race condition, and a medium-severity logging issue that can place sensitive information in plain text logs.
What Spring Cloud Config does
Spring Cloud Config helps teams manage external configuration for distributed apps and microservices. Instead of storing settings inside each application, teams can centralize configuration and serve it to client applications.
This setup makes Spring Cloud Config important in cloud and enterprise environments. It can hold paths, tokens, service credentials, repository data, and settings that many applications depend on.
That same role also raises the risk. If attackers reach a vulnerable Config Server, they may gain access to sensitive data that affects more than one service.
At a glance
| CVE | Severity | Issue | Impact |
|---|---|---|---|
| CVE-2026-40982 | Critical | Directory traversal | Can expose arbitrary files through crafted requests |
| CVE-2026-40981 | High | Google Secret Manager access issue | Can expose secrets from unintended GCP projects |
| CVE-2026-41002 | High | TOCTOU race condition | Can affect the Git base directory used for repository cloning |
| CVE-2026-41004 | Medium | Trace logging leak | Can place sensitive information in plain text logs |
CVE-2026-40982 allows directory traversal
CVE-2026-40982 affects the spring-cloud-config-server module. Spring says the module can serve arbitrary text and binary files, and an attacker can send a crafted URL that leads to directory traversal.
This type of bug can let attackers move outside expected directories and reach files that the server process can access. In a configuration system, that can create a serious exposure risk.
Spring rates this issue as critical. The affected lines include Spring Cloud Config 3.1.x, 4.1.x, 4.2.x, 4.3.x, 5.0.x, and older unsupported versions.
CVE-2026-40981 can expose GCP secrets
CVE-2026-40981 affects deployments that use Google Secret Manager as a backend for Spring Cloud Config Server. Spring says a client can craft a request that may expose secrets from unintended Google Cloud projects.
This bug creates a dangerous scenario for organizations that centralize secrets across cloud projects. A request to the Config Server may reach secrets outside the project the client should access.
Spring provides a temporary workaround for teams that cannot upgrade right away. Administrators can set spring.cloud.config.server.gcp-secret-manager.token-mandatory=true so the server requires a valid token and checks access to the requested project secrets.
CVE-2026-41002 affects Git clone directories
CVE-2026-41002 affects the base directory that Spring Cloud Config Server uses to clone Git repositories. Spring describes it as a time-of-check-time-of-use issue tied to spring.cloud.config.server.git.basedir.
A TOCTOU bug happens when software checks a resource and then uses it later after conditions have changed. In this case, the issue affects the directory that Config Server uses during Git repository operations.
Spring credits Yu Bao from PayPal for reporting this vulnerability. The issue carries a high severity rating and affects the same Spring Cloud Config release lines listed in the advisories.
CVE-2026-41004 can leak sensitive log data
CVE-2026-41004 affects trace logging in Spring Cloud Config Server. Spring says the server placed sensitive information in plain text logs when administrators enabled trace logging.
This issue does not require the same attack path as the directory traversal flaw. However, it can still create risk when logs reach users, tools, storage buckets, or monitoring systems that should not receive secrets.
Teams should review logging settings, log retention, and access controls after patching. They should also rotate any credentials that may have appeared in trace logs.
Affected and fixed versions
| Affected line | Fixed version | Availability |
|---|---|---|
| 3.1.x | 3.1.14 | Enterprise Support Only |
| 4.1.x | 4.1.10 | Enterprise Support Only |
| 4.2.x | 4.2.7 | Enterprise Support Only |
| 4.3.x | 4.3.3 | OSS |
| 5.0.x | 5.0.3 | OSS |
What administrators should do now
Administrators should first identify every Spring Cloud Config Server instance in their environment. This includes production, staging, internal developer platforms, and older services that teams may no longer monitor closely.
After that, teams should upgrade to the fixed release for their branch. Spring has released OSS fixes for 4.3.x and 5.0.x, while several older supported lines require enterprise support fixes.
Organizations that use Google Secret Manager should also check whether they need the token-mandatory setting as a short-term control. This workaround helps reduce exposure until teams complete the upgrade.
Recommended checks
- Inventory all Spring Cloud Config Server deployments.
- Check whether any server uses Google Secret Manager as a backend.
- Review Git backend settings, especially spring.cloud.config.server.git.basedir.
- Disable trace logging unless a specific troubleshooting task requires it.
- Search logs for exposed credentials and rotate affected secrets.
- Restrict network access to Config Server endpoints.
- Upgrade to the fixed version for the affected release line.
Why this update matters
Config servers often sit close to sensitive application data. They can hold service settings, cloud references, repository data, and secret paths that many applications rely on.
A single weakness in this layer can affect several downstream services. That makes fast patching more important than it might seem from the affected component name alone.
The critical directory traversal issue should receive the highest priority. Teams should also treat the GCP secret exposure issue seriously if their Config Server connects to Google Secret Manager.
Summary
- Spring patched four Spring Cloud Config Server vulnerabilities on May 6, 2026.
- CVE-2026-40982 is the most severe issue and can lead to directory traversal.
- CVE-2026-40981 can expose secrets from unintended Google Cloud projects.
- CVE-2026-41002 affects the Git base directory used for repository cloning.
- CVE-2026-41004 can place sensitive data in plain text logs when trace logging runs.
FAQ
CVE-2026-40982 is the most serious vulnerability. Spring rates it as critical because crafted requests can trigger directory traversal through Spring Cloud Config Server.
Spring lists 3.1.x, 4.1.x, 4.2.x, 4.3.x, 5.0.x, and older unsupported versions as affected. Teams should upgrade to the fixed release for their branch.
Spring lists 3.1.14, 4.1.10, 4.2.7, 4.3.3, and 5.0.3 as fixed versions across the affected release lines.
Yes. Spring says administrators can set spring.cloud.config.server.gcp-secret-manager.token-mandatory=true if they cannot upgrade immediately.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages