View all Vulnerabilities

CVE-2026-41002

Path Traversal
Affects
Spring Cloud Config
in
Spring
No items found.
Versions
>=1.0.0 <=3.1.13, >=4.1.0 <=4.1.9, >=4.2.0 <=4.2.6, >=4.3.0 <=4.3.2, >=5.0.0 <=5.0.2
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Spring Cloud Config is a centralized configuration management tool for distributed systems built on the Spring Framework. Its spring-cloud-config-server module ships several environment-repository backends, including a Git backend that clones a configured remote repository into a local working directory (spring.cloud.config.server.git.basedir) and an alternate file: mode that opens an existing on-disk Git repository directly. JGit performs the actual repository operations on top of those paths.

A high-severity vulnerability (CVE-2026-41002) has been identified in those file-system code paths. The pre-fix JGitEnvironmentRepository checks basedir for existence, recursively deletes its contents, then asks JGit to clone into the same configured path, re-resolving it from the user-provided File each time. A local actor with the ability to influence the file system at or near basedir can swap the leaf for a symbolic link in the window between the server's check and JGit's clone, causing the clone to land outside the intended directory tree. The same recursive-delete step uses FileUtils.delete(file, FileUtils.RECURSIVE), which follows directory symlinks, so a planted symlink inside basedir causes the cleanup phase to recursively delete files outside basedir. The file: URI mode has the same class of issue: a symbolic link at the repository root or at the inner .git entry is silently followed, redirecting JGit to a different on-disk repository than the one the server was configured to serve.

Per OWASP: "A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with 'dot-dot-slash (../)' sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system." In this CVE the path component being abused is not a URL parameter but a symbolic link that the server's file-system code follows during a clone or open, with the same end result: file accesses escape the configured Git working directory.

The CVSS v3.1 base score for this vulnerability is 6.0 (High) with vector AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N. The attack requires a local foothold and high attack complexity (the attacker must win a race or place a symlink at the right moment) and high privileges (typically write access in or near basedir), but on success the scope changes and the attacker can achieve high confidentiality and integrity impact by reading and overwriting arbitrary files the Config Server account can touch outside its configured tree.

This issue affects Spring Cloud Config >=1.0.0 <=3.1.13, >=4.1.0 <=4.1.9, >=4.2.0 <=4.2.6, >=4.3.0 <=4.3.2, and >=5.0.0 <=5.0.2.

Details

Module Info

Vulnerability Info

The vulnerability is in JGitEnvironmentRepository in the spring-cloud-config-server module. When the configured Git URI is a remote (https://, ssh://, etc.), the server prepares spring.cloud.config.server.git.basedir and clones the remote into it. When the URI is a file: URI, the server opens an existing on-disk Git repository at that path. Both code paths perform their checks against a path string and then re-derive the underlying java.io.File/Path when handing off to JGit, leaving a window in which the configured path can resolve to a different on-disk object than it did at check time.

The pre-fix copyRepository() method (the entry point for the remote-clone flow) had this shape:

private synchronized Git copyRepository() throws IOException, GitAPIException {
    deleteBaseDirIfExists();
    getBasedir().mkdirs();
    Assert.state(getBasedir().exists(), "Could not create basedir: " + getBasedir());
    if (getUri().startsWith(FILE_URI_PREFIX)) {
        return copyFromLocalRepository();
    }
    else {
        return cloneToBasedir();
    }
}

private Git cloneToBasedir() throws GitAPIException {
    CloneCommand clone = this.gitFactory.getCloneCommandByCloneRepository()
        .setURI(getUri())
        .setDirectory(getBasedir());
    ...
}

The configured basedir is resolved fresh inside deleteBaseDirIfExists, again inside getBasedir().mkdirs(), again inside Assert.state(getBasedir().exists(), ...), and a final time inside setDirectory(getBasedir()). A local actor who can place or replace a symbolic link at the configured path between any two of those calls steers the clone into the link's target. The recursive-delete step compounds the problem: deleteBaseDirIfExists iterates getBasedir().listFiles() and, for each entry, calls JGit's FileUtils.delete(file, FileUtils.RECURSIVE), which traverses directory symlinks. A symlink planted as a child of basedir causes the delete to recurse into the link's target and remove its contents.

The pre-fix copyFromLocalRepository() method (used for file: URIs) had a similar weakness:

File remote = new UrlResource(StringUtils.cleanPath(getUri())).getFile();
Assert.state(remote.isDirectory(), "No directory at " + getUri());
File gitDir = new File(remote, ".git");
Assert.state(gitDir.exists(), "No .git at " + getUri());
Assert.state(gitDir.isDirectory(), "No .git directory at " + getUri());
git = this.gitFactory.getGitByOpen(remote);

isDirectory() and exists() on a java.io.File follow symbolic links. A symlink whose target is a real Git working directory satisfies both checks, and gitFactory.getGitByOpen(remote) then opens the link target rather than the configured path. The same applies to the inner .git: a symbolic link there can redirect JGit's repository open to an entirely different repository on the same host. A local actor who controls (or can swap) the file at the configured file: URI can therefore make the Config Server serve configuration from a repository other than the one the operator wired in.

The fix introduces explicit-validation helpers that all canonicalize paths with Path#toRealPath(LinkOption.NOFOLLOW_LINKS) and re-resolve the configured path immediately before invoking JGit. For the remote-clone flow, recreateSecureBasedirForClone() removes any prior leaf (deleting symlinks as links rather than recursing into their targets), then creates the leaf with Files.createDirectory(base) so that a concurrent local swap to a symlink at the same path surfaces as FileAlreadyExistsException.

The hardened cloneToBasedir(Path resolvedBasedir) re-resolves the configured path with toRealPath(LinkOption.NOFOLLOW_LINKS) and asserts it still equals the directory recreateSecureBasedirForClone returned, before calling clone.call(). If the path resolved differently in the interval, the operation aborts with "Local clone directory changed before clone (possible path substitution)".

For the file: URI flow, resolveValidatedLocalFileRepositoryRoot() rejects symbolic links at the repository root and at .git, canonicalizes both with NOFOLLOW_LINKS, and asserts both resolve to real directories. After JGit opens the repository, assertOpenedLocalRepositoryPathsUnderRoot reads repository.getDirectory() and repository.getWorkTree() back from JGit, canonicalizes them the same way, and asserts they startsWith the validated root. JGit cannot report a working directory or git directory that lies outside the configured URI's resolved root.

deleteBaseDirIfExists() is rewritten on top of Files.walkFileTree(base, EnumSet.noneOf(FileVisitOption.class), Integer.MAX_VALUE, ...). The empty enum set explicitly excludes FileVisitOption.FOLLOW_LINKS, so a directory-symlink entry inside basedir is deleted as a link rather than recursed into, and a tripwire assertPathUnderBase guards each visitor call.

The vulnerable file-system primitives have been present since 2014. The advisory's listed range starting at 3.1.x reflects Spring's currently-supported scope, but older versions all the way back to 1.0.0 are affected.

Mitigation

Only recent versions of Spring Cloud Config receive community support and updates. Older versions have no publicly available fixes for this vulnerability.

Users of the affected components should apply one of the following mitigations:

  • Upgrade to a currently supported version of Spring Cloud Config. The OSS fix ships in Spring Cloud Config 4.3.3 (4.3.x line) and 5.0.3 (5.0.x line).
  • Leverage a commercial support partner like HeroDevs for post-EOL security support through Never-Ending Support (NES) for Spring Cloud Config.

Credits

  • Yu Bao (PayPal) (finder)
Pink arrow
Pink arrow
CVE-2012-5055
CVE-2014-0097
CVE-2018-1000632
CVE-2019-3795
CVE-2019-11272
CVE-2016-1000027
CVE-2020-10683
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2022-22980
CVE-2022-31692
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20862
CVE-2023-20883
CVE-2023-34036
CVE-2024-22234
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
CVE-2023-34040
CVE-2025-22228
CVE-2025-22232
CVE-2025-22234
CVE-2025-22235
CVE-2024-22257
CVE-2025-22233
CVE-2025-41235
CVE-2025-41242
CVE-2025-41243
CVE-2025-41249
CVE-2025-41254
CVE-2025-41253
CVE-2024-56128
CVE-2025-27817
CVE-2024-31141
CVE-2023-25194
CVE-2022-22979
CVE-2026-2817
CVE-2026-2818
CVE-2026-22737
CVE-2026-22735
CVE-2026-22733
CVE-2026-22731
CVE-2026-22732
CVE-2022-31690
CVE-2026-22739
CVE-2024-22236
CVE-2022-31679
CVE-2026-22750
CVE-2026-22740
CVE-2026-22741
CVE-2026-22745
CVE-2026-22746
CVE-2026-22748
CVE-2026-22751
CVE-2026-22752
CVE-2026-40974
CVE-2026-40972
CVE-2026-40973
CVE-2026-40975
CVE-2026-40977
CVE-2023-34050
CVE-2023-34055
CVE-2026-40982
CVE-2026-40981
CVE-2026-41002
CVE-2026-41004
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
High
ID
CVE-2026-41002
PROJECT Affected
Spring Cloud Config
Versions Affected
>=1.0.0 <=3.1.13, >=4.1.0 <=4.1.9, >=4.2.0 <=4.2.6, >=4.3.0 <=4.3.2, >=5.0.0 <=5.0.2
NES Versions Affected
Published date
May 7, 2026
≈ Fix date
May 6, 2026
Fixed in
NES for Spring
Category
Path Traversal
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.