Spring Spring Cloud Config
6 CVEs affecting Spring Spring Cloud Config. Latest disclosed: 2026-05-07. Critical: 1, High: 2.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-40982 | Critical | 9.1 | 2026-05-07 | Spring Cloud Config allows applications to serve arbitrary text and binary files through the spring-cloud-config-server module. A malicious user, or attacker… |
CVE-2026-40981 | High | 7.5 | 2026-05-07 | When using Google Secrets Manager as a backend for the Spring Cloud Config server a client can craft a request to the config server potentially exposing secret… |
CVE-2026-41002 | High | 7.2 | 2026-05-07 | The base directory (`spring.cloud.config.server.git.basedir`) used by the Spring Cloud Config Server to clone Git repositories to is susceptible to time-of-che… |
CVE-2025-22232 | Medium | 5.3 | 2025-04-10 | Spring Cloud Config Server may not use Vault token sent by clients using a X-CONFIG-TOKEN header when making requests to Vault. Your application may be affecte… |
CVE-2026-41004 | Medium | 4.4 | 2026-05-07 | When enabling trace logging in Spring Cloud Config Server sensitive information was placed in plain text in the logs. Spring Cloud Config 3.1.x: affected from… |
CVE-2019-3799 | | 2019-05-06 | Spring Cloud Config, versions 2.1.x prior to 2.1.2, versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6, and older unsupported versions allow appl… |