Security

May 8, 2026

CVE-2026-40982: Critical Spring Cloud Config Server Directory Traversal (CVSS 9.8)

A pre-auth path traversal in spring-cloud-config-server lets unauthenticated attackers read arbitrary files on the host. Affects 3.1.x through 5.0.x, with no upstream fix for EOL branches.

Give me the TL;DR

CVE-2026-40982: Critical Spring Cloud Config Server Directory Traversal (CVSS 9.8)

For Qualys admins, NES for .NET directly resolves the EOL/Obsolete Software: Microsoft .NET Version 6 Detected vulnerability, ensuring your systems remain secure and compliant. Fill out the form to get pricing details and learn more.

Disclosed on May 6, 2026 by the Spring security team, CVE-2026-40982 is a Critical directory traversal vulnerability in spring-cloud-config-server. The CVSS 3.1 base score is 9.8, vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N. An unauthenticated attacker can send a specially crafted HTTP request to a running Config Server and read or write arbitrary files accessible to the server process. Spring Cloud Config 3.1.x, 4.1.x, 4.2.x, 4.3.x, 5.0.x, and all older unsupported versions are affected. The upstream OSS fix is available in 4.3.3 and 5.0.3; patches for 3.1.x, 4.1.x, and 4.2.x are available through HeroDevs NES for Spring.

‍

What is CVE-2026-40982?

CVE-2026-40982 is a path traversal vulnerability (CWE-22: Improper Limitation of a Pathname to a Restricted Directory) in the spring-cloud-config-server module. Spring Cloud Config is a widely deployed component that provides centralized, externalized configuration for distributed systems. The Config Server serves configuration files, text, and binary resources to client microservices over HTTP.

The vulnerability is due to the way the Config Server processes URL path segments when serving resource files. Vulnerable versions fail to fully validate the request segments that are used to locate a file on disk before they are concatenated onto a configured search-location and resolved. A crafted request can therefore cause the server to resolve and return a file outside the intended configuration root. Application firewall rules tuned for traditional path-traversal patterns may not be sufficient.

The Config Server's resource endpoints are read-only, so the direct impact is information disclosure: leaking secrets, credentials, or any other file readable by the server process. In typical Spring Cloud deployments, where the Config Server centralizes secrets for an entire fleet of microservices, that disclosure can cascade to broader compromise.

This is not the first time this module has carried a traversal vulnerability. CVE-2026-22739, disclosed in March 2026, was a related path equivalence flaw in Spring Cloud Config Server enabling file reads and SSRF via the profile parameter. Earlier still, CVE-2019-3799 and CVE-2020-5410 were traversal issues in pre-3.x versions of the same module. Patching CVE-2026-22739 does not protect against CVE-2026-40982: they exploit different handling paths.

‍

Severity and exploit conditions

The Spring advisory links to the following CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, base score 9.8 (Critical).

Metric	Value	What it means
Attack Vector	AV:N Network	Exploitable over the network; no local access required
Attack Complexity	AC:L Low	No special conditions or race windows; the attack is repeatable on demand
Privileges Required	PR:N None	Unauthenticated; no credentials of any kind are required
User Interaction	UI:N None	No victim action required; attacker exploits directly
Scope	S:U Unchanged	Impact is contained to the Config Server process and its accessible paths
Confidentiality	C:H High	Arbitrary file reads expose secrets, credentials, and system configuration
Integrity	I:H High	File writes allow configuration tampering or injection of malicious content
Availability	A:N None	No direct availability impact scored

‍

The exploit preconditions are minimal:

A spring-cloud-config-server instance is network-reachable on any affected version (3.1.x through 5.0.x, plus older EOL versions).
The server process has read access to files outside the configuration root, which is the default on most deployments.
No authentication is required (PR:N). The vulnerability is pre-auth and requires no existing foothold in the target environment.

Config Server instances are sometimes deployed on internal networks under the assumption that internal reachability is adequate security. That assumption does not hold against insiders, compromised microservice clients, or lateral movement from a breached adjacent service. The zero-authentication requirement and low complexity make this trivially scriptable.

‍

What an attacker can do

Successful exploitation gives the attacker file-level read access to paths on the host, subject to the server process's filesystem permissions.

The vulnerability allows reading arbitrary files that the Config Server process can access. The actual impact depends on:

What files the server process has permission to read
What sensitive data exists on the filesystem
The specific deployment and security configuration

Without additional reconnaissance or testing of a specific deployment, the scope of accessible data cannot be determined. Impact assessment would require understanding the server's filesystem permissions and what sensitive files, if any, are present and readable.

‍

Who is affected?

Every Spring Cloud Config version from 3.1.x through 5.0.x is affected, along with all older unsupported versions. The Spring advisory explicitly states that "older, unsupported versions are also affected." Fix availability varies significantly by branch.

Spring Cloud Config's version numbers track Spring Boot generations. The 3.1.x branch aligns with Spring Boot 3.1, which reached EOL in December 2023. The 4.1.x branch aligns with Spring Boot 3.3, EOL June 2025. The 4.2.x branch aligns with Spring Boot 3.4, EOL December 2025. If your Spring Boot version is EOL, the corresponding Spring Cloud Config branch is also EOL, and the community will not issue security patches for it.

Version	Affected?	Upstream OSS Fix	NES Patch Available?
5.0.x	Yes	Upgrade to 5.0.3+	N/A
4.3.x	Yes	Upgrade to 4.3.3+	N/A
4.2.x EOL	Yes	No	Yes
4.1.x EOL	Yes	No	Yes
3.1.x EOL	Yes	No	Yes
Older versions EOL	Yes	No	Yes

‍

Mitigation guidance

Scenario	Recommendation
Spring Cloud Config 5.0.x or 4.3.x Patch	Upgrade to 5.0.3 or 4.3.3 (or the latest patch release in each line). OSS releases are available in Maven Central.
Spring Cloud Config 4.2.x, 4.1.x, 3.1.x, or older EOL — Urgent	NES for Spring provides a drop-in replacement with CVE-2026-40982 resolved across all EOL branches, no migration required.
All versions — network hardening while patching Harden	Restrict network access to the Config Server to known client IPs or service mesh identities. If the server must be more broadly reachable, place an authenticating reverse proxy in front of it so requests are credential-checked before reaching the vulnerable endpoint.
All versions — filesystem exposure reduction Harden	Run the Config Server under a dedicated service account with minimum required filesystem permissions. Ensure the process account has no read access to `/etc`, credential directories, or Kubernetes service account token paths.
All versions — detection Detect	Review access logs for requests containing `../`, `%2e%2e`, or double-encoded traversal sequences in path segments served by the Config Server. Alert on these patterns in your WAF or SIEM and treat hits as high-priority indicators of exploitation attempts.

‍
Related CVEs

CVE-2026-40982 was disclosed in the same May 6, 2026 advisory batch as three other Spring Cloud Config vulnerabilities. CVE-2026-40981 is a High-severity (CVSS 7.5, AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) flaw in the Google Secrets Manager backend: a crafted client request can expose secrets from unintended GCP projects. The same version ranges are affected and the same fix versions apply. If you are running a Google Secrets Manager-backed Config Server, both CVEs warrant remediation in the same patching window. CVE-2026-41002, also from the same batch, is a separate (TOCTOU) flaw in Config Server local filesystem operations.

CVE-2026-22739, disclosed in March 2026, was a related path equivalence flaw in Spring Cloud Config Server enabling directory traversal and SSRF via the profile parameter. Patching that CVE does not protect against CVE-2026-40982: they exploit different handling paths in the same module. If you patched CVE-2026-22739 but have not yet applied the May 2026 fixes, your Config Server remains exposed.

For the broader set of Spring ecosystem CVEs from the March 2026 disclosure batch, see the March 2026 Spring CVE Roundup, which covers six vulnerabilities across Spring Boot, Spring Security, Spring Framework, and Spring Cloud Config.

‍

Taking action

CVE-2026-40982 is pre-authentication, low-complexity, remotely exploitable, and scored 9.8 Critical. It requires no credentials and no victim interaction. Any organization running Spring Cloud Config where the server is reachable by untrusted traffic, or where the server process has access to sensitive filesystem paths, should treat this as an urgent patch.

The version map complicates remediation. Only two branches have OSS-available fixes: 4.3.3 and 5.0.3. Older versions have no open source upstream fix.

If your organization is running Spring Cloud Config on any EOL branch, NES for Spring delivers a patched, drop-in replacement covering CVE-2026-40982 and the full backlog of unresolved vulnerabilities across the EOL Spring portfolio. No migration required.

Share via: