View all Vulnerabilities

CVE-2026-40982

Path Traversal
Affects
Spring Cloud Config
in
Spring
No items found.
Versions
>=1.0.0 <=3.1.13, >=4.1.0 <=4.1.9, >=4.2.0 <=4.2.6, >=4.3.0 <=4.3.2, >=5.0.0 <=5.0.2
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Spring Cloud Config is a centralized configuration management tool for distributed systems built on the Spring Framework. The spring-cloud-config-server module exposes HTTP endpoints that serve configuration data and arbitrary text or binary files to client applications, backed by Git, native filesystem, Vault, JDBC, and other repositories.

A critical-severity vulnerability (CVE-2026-40982) has been identified in Spring Cloud Config Server's file-serving controllers (ResourceController, EnvironmentController, and EncryptionController). Three URL-bound parameters used to compose backend lookups, profile, path, and (on the encrypt and decrypt endpoints) name and profiles, were either entirely unvalidated or guarded only by a permissive deny-list. An unauthenticated remote attacker can submit a specially crafted URL whose profile, path, or name segment smuggles a directory-traversal sequence past the existing decoder, causing the server to resolve a file outside of the configured search location and return its contents (or, depending on backend semantics, influence what is read or written).

Per OWASP: "A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with 'dot-dot-slash (../)' sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system."

This issue affects Spring Cloud Config >=1.0.0 <=3.1.13, >=4.1.0 <=4.1.9, >=4.2.0 <=4.2.6, >=4.3.0 <=4.3.2, and >=5.0.0 <=5.0.2.

Details

Module Info

Vulnerability Info

Spring Cloud Config Server processes configuration and file access requests through multiple controller endpoints that ultimately resolve user-supplied path components against a backend repository. The URL  templates of controllers expose path components that are eventually composed into a backend lookup against the configured repository, which for the native and Git backends resolves to a java.io.File or a Spring Resource under a search-location root.

Three earlier CVEs (CVE-2020-5405, CVE-2020-5410, CVE-2026-22739) progressively added directory-traversal protection to name, label, and profile in EnvironmentController and ResourceController. Those fixes left two gaps that CVE-2026-40982 closes by introducing more robust input validation and normalization:

  • Request parameters involved in repository resolution are now uniformly normalized and validated.
  • Validation has been enhanced to enforce stricter character constraints, replacing earlier pattern-based checks that could be bypassed under certain conditions.

The CVSS vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (base score 9.4) reflects that the attack is unauthenticated, network-reachable, and yields high confidentiality and integrity impact with no service-availability effect.

The vulnerable controllers have existed since the Spring Cloud Config 1.0 line. Path-traversal protection on individual parameters was added incrementally by the three earlier CVEs cited above, but the path parameter and the profile allow-list were never tightened until April 2026, which is why every Spring Cloud Config Server release prior to the fix is affected. The advisory's listed range starting at 3.1.x reflects Spring's currently-supported scope; older lines, including the lines covered by NES support, are also in scope.

Mitigation

Only recent versions of Spring Cloud Config receive community support and updates. Older versions have no publicly available fixes for this vulnerability.

Users of the affected components should apply one of the following mitigations:

  • Upgrade to a currently supported version of Spring Cloud Config. The OSS fix ships in Spring Cloud Config 4.3.3 (4.3.x line) and 5.0.3 (5.0.x line).
  • Leverage a commercial support partner like HeroDevs for post-EOL security support through Never-Ending Support (NES) for Spring Cloud Config.

Credits

  • Swapnil Paliwal (finder)
  • The security team at AxiomCode using the AxiomEngine (finder)
  • August829 (finder)
  • rash18mi (finder)
Pink arrow
Pink arrow
CVE-2012-5055
CVE-2014-0097
CVE-2018-1000632
CVE-2019-3795
CVE-2019-11272
CVE-2016-1000027
CVE-2020-10683
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2022-22980
CVE-2022-31692
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20862
CVE-2023-20883
CVE-2023-34036
CVE-2024-22234
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
CVE-2023-34040
CVE-2025-22228
CVE-2025-22232
CVE-2025-22234
CVE-2025-22235
CVE-2024-22257
CVE-2025-22233
CVE-2025-41235
CVE-2025-41242
CVE-2025-41243
CVE-2025-41249
CVE-2025-41254
CVE-2025-41253
CVE-2024-56128
CVE-2025-27817
CVE-2024-31141
CVE-2023-25194
CVE-2022-22979
CVE-2026-2817
CVE-2026-2818
CVE-2026-22737
CVE-2026-22735
CVE-2026-22733
CVE-2026-22731
CVE-2026-22732
CVE-2022-31690
CVE-2026-22739
CVE-2024-22236
CVE-2022-31679
CVE-2026-22750
CVE-2026-22740
CVE-2026-22741
CVE-2026-22745
CVE-2026-22746
CVE-2026-22748
CVE-2026-22751
CVE-2026-22752
CVE-2026-40974
CVE-2026-40972
CVE-2026-40973
CVE-2026-40975
CVE-2026-40977
CVE-2023-34050
CVE-2023-34055
CVE-2026-40982
CVE-2026-40981
CVE-2026-41002
CVE-2026-41004
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Critical
ID
CVE-2026-40982
PROJECT Affected
Spring Cloud Config
Versions Affected
>=1.0.0 <=3.1.13, >=4.1.0 <=4.1.9, >=4.2.0 <=4.2.6, >=4.3.0 <=4.3.2, >=5.0.0 <=5.0.2
NES Versions Affected
Published date
May 7, 2026
≈ Fix date
May 6, 2026
Fixed in
NES for Spring
Category
Path Traversal
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.