Critical Spring Vulnerabilities Expose Arbitrary Files and GCP Secrets

Spring Cloud Config provides crucial server-side and client-side support for externalized configuration in distributed systems.

Recently, the Spring development team disclosed four security vulnerabilities impacting the Spring Cloud Config Server.

These flaws range from medium to critical severity, exposing environments to unauthorized arbitrary file access, cloud secrets leakage, and logging misconfigurations.

Because centralized configuration servers often hold sensitive keys for an entire microservice architecture, system administrators must immediately review and patch their infrastructure.

Spring Cloud Vulnerabilities

Directory Traversal Vulnerabilities

The most severe issue is CVE-2026-40982, a critical directory traversal vulnerability affecting the platform.

The Spring Cloud Config module allows applications to serve both text and binary files over the network.

An attacker can exploit this module by sending a specially crafted URL to the server, thereby bypassing restricted directories and accessing arbitrary files on the host system.

Security researchers Swapnil Paliwal, the AxiomCode security team, August 829, and rash18mi responsibly identified and reported this critical flaw.

Target GCP Secrets and Git Directories

Two additional high-severity vulnerabilities threaten Spring Cloud Config deployments.

CVE-2026-40981 affects organizations that use Google Secrets Manager as the backend for their configuration server.

Malicious actors can craft specific requests to the config server, exposing sensitive secrets from unintended Google Cloud Platform projects.

Meanwhile, CVE-2026-41002 introduces a time-of-check-time-of-use attack surface.

This vulnerability specifically targets the server’s base directory used to clone Git repositories.

Threat actors can manipulate files during the cloning process due to this race condition.

Security researcher Yu Bao from PayPal received credit for discovering and reporting this Git-related vulnerability.

Trace Logging Exposes Sensitive Information

A medium-severity vulnerability (CVE-2026-41004) affects the server’s internal logging mechanisms.

When administrators enable trace logging, the system inadvertently writes sensitive information in plain text directly to the log files.

This misconfiguration could expose credentials or configuration secrets to unauthorized internal users who possess read access to the system logs.

All four vulnerabilities impact the same branches of the Spring Cloud Config ecosystem.

The affected release lines include 3.1.x, 4.1.x, 4.2.x, 4.3.x, and 5.0.x. Older, unsupported versions of the software also remain highly vulnerable to these exploits.

Users must upgrade immediately to secure their environments against potential compromise.

The Spring team has released patched versions across their different support tiers.

Open-source software users must upgrade to 4.3. x environments to version 4.3.3 and their 5.0. x environments to version 5.0.3.

Enterprise support customers have access to dedicated fixes in versions 3.1.14, 4.1.10, and 4.2.7.

If immediate patching is impossible for the GCP secrets vulnerability, administrators can implement a temporary configuration workaround.

By setting the spring.cloud.config.server.gcp-secret-manager.token-mandatory=true property, the server forces clients to send a valid token.

The system then verifies this token to ensure the client actually has legitimate access to the requested project secrets.

Cybercriminals now enter through your suppliers instead of your front door – Free Webinar