VulnerableCode Package Details - pkg:maven/org.springframework.cloud/spring-cloud-config-server@5.0.2

Search for packages

Vulnerability	Summary	Fixed by
VCID-1vzp-x3f4-aqay Aliases: CVE-2026-40981 GHSA-2mh5-3cw6-hrrq	When using Google Secrets Manager as a backend for the Spring Cloud Config server a client can craft a request to the config server potentially exposing secrets from unintended GCP projects. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.	5.0.3 Affected by 0 other vulnerabilities.
VCID-b548-vbfs-xugq Aliases: CVE-2026-41002 GHSA-86wq-234q-r6wg	The base directory (`spring.cloud.config.server.git.basedir`) used by the Spring Cloud Config Server to clone Git repositories to is susceptible to time-of-check-time-of-use (TOCTOU) attacks. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.	5.0.3 Affected by 0 other vulnerabilities.
VCID-je53-ksaj-sqch Aliases: CVE-2026-41004 GHSA-j6hh-h3cf-c2hf	When enabling trace logging in Spring Cloud Config Server sensitive information was placed in plain text in the logs. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.	5.0.3 Affected by 0 other vulnerabilities.
VCID-zjpq-btz8-rkan Aliases: CVE-2026-40982 GHSA-6g23-24mc-hx6x	Spring Cloud Config allows applications to serve arbitrary text and binary files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.	5.0.3 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-1vzp-x3f4-aqay
Aliases:
CVE-2026-40981
GHSA-2mh5-3cw6-hrrq

When using Google Secrets Manager as a backend for the Spring Cloud Config server a client can craft a request to the config server potentially exposing secrets from unintended GCP projects. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.

5.0.3
Affected by 0 other vulnerabilities.

VCID-b548-vbfs-xugq
Aliases:
CVE-2026-41002
GHSA-86wq-234q-r6wg

The base directory (`spring.cloud.config.server.git.basedir`) used by the Spring Cloud Config Server to clone Git repositories to is susceptible to time-of-check-time-of-use (TOCTOU) attacks. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.

5.0.3
Affected by 0 other vulnerabilities.

VCID-je53-ksaj-sqch
Aliases:
CVE-2026-41004
GHSA-j6hh-h3cf-c2hf

When enabling trace logging in Spring Cloud Config Server sensitive information was placed in plain text in the logs. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.

5.0.3
Affected by 0 other vulnerabilities.

VCID-zjpq-btz8-rkan
Aliases:
CVE-2026-40982
GHSA-6g23-24mc-hx6x

Spring Cloud Config allows applications to serve arbitrary text and binary files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.

5.0.3
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-4rv4-nm53-bya6	Vulnerability in Spring Cloud when substituting the profile parameter from a request made to the Spring Cloud Config Server configured to the native file system as a backend, because it was possible to access files outside of the configured search directories.This issue affects Spring Cloud: from 3.1.X before 3.1.13, from 4.1.X before 4.1.9, from 4.2.X before 4.2.3, from 4.3.X before 4.3.2, from 5.0.X before 5.0.2.	CVE-2026-22739 GHSA-3qwq-q9vm-5j42

Vulnerability

Summary

Aliases

VCID-4rv4-nm53-bya6

Vulnerability in Spring Cloud when substituting the profile parameter from a request made to the Spring Cloud Config Server configured to the native file system as a backend, because it was possible to access files outside of the configured search directories.This issue affects Spring Cloud: from 3.1.X before 3.1.13, from 4.1.X before 4.1.9, from 4.2.X before 4.2.3, from 4.3.X before 4.3.2, from 5.0.X before 5.0.2.

CVE-2026-22739
GHSA-3qwq-q9vm-5j42

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-13T06:30:03.844916+00:00	GHSA Importer	Affected by	VCID-zjpq-btz8-rkan	https://github.com/advisories/GHSA-6g23-24mc-hx6x	38.6.0
2026-06-13T06:30:03.686321+00:00	GHSA Importer	Affected by	VCID-je53-ksaj-sqch	https://github.com/advisories/GHSA-j6hh-h3cf-c2hf	38.6.0
2026-06-13T06:30:03.534546+00:00	GHSA Importer	Affected by	VCID-1vzp-x3f4-aqay	https://github.com/advisories/GHSA-2mh5-3cw6-hrrq	38.6.0
2026-06-13T06:30:03.472538+00:00	GHSA Importer	Affected by	VCID-b548-vbfs-xugq	https://github.com/advisories/GHSA-86wq-234q-r6wg	38.6.0
2026-06-13T06:28:15.337031+00:00	GHSA Importer	Fixing	VCID-4rv4-nm53-bya6	https://github.com/advisories/GHSA-3qwq-q9vm-5j42	38.6.0
2026-06-12T22:23:53.636668+00:00	GitLab Importer	Affected by	VCID-zjpq-btz8-rkan	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.cloud/spring-cloud-config-server/CVE-2026-40982.yml	38.6.0
2026-06-12T22:23:52.813391+00:00	GitLab Importer	Affected by	VCID-b548-vbfs-xugq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.cloud/spring-cloud-config-server/CVE-2026-41002.yml	38.6.0
2026-06-12T22:23:48.641809+00:00	GitLab Importer	Affected by	VCID-je53-ksaj-sqch	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.cloud/spring-cloud-config-server/CVE-2026-41004.yml	38.6.0
2026-06-12T22:23:29.920029+00:00	GitLab Importer	Affected by	VCID-1vzp-x3f4-aqay	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.cloud/spring-cloud-config-server/CVE-2026-40981.yml	38.6.0
2026-06-12T21:35:51.087857+00:00	GitLab Importer	Fixing	VCID-4rv4-nm53-bya6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.cloud/spring-cloud-config-server/CVE-2026-22739.yml	38.6.0
2026-06-12T07:50:30.072174+00:00	GithubOSV Importer	Fixing	VCID-4rv4-nm53-bya6	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-3qwq-q9vm-5j42/GHSA-3qwq-q9vm-5j42.json	38.6.0