Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
F5 Patches Critical NGINX Vulnerabilities, Preventing Code Execution
July 16, 2026
Critical MacSync Stealer Delivered via Google Ads and Claude AI Chats
July 15, 2026
GPT-5.6 Sol Ultra AI Creates Full Chrome Exploit Chain from Patches
July 15, 2026
Home/CyberSecurity News/Critical Spring Bugs Expose Arbitrary Files and GCP Secrets
CyberSecurity News

Critical Spring Bugs Expose Arbitrary Files and GCP Secrets

Key Takeaways Four critical and high-severity vulnerabilities have been discovered in Spring Cloud Config Server. These flaws could lead to arbitrary file access, leakage of Google Cloud Platform...

Emy Elsamnoudy
Emy Elsamnoudy
May 8, 2026 3 Min Read
45 0

Key Takeaways

  • Four critical and high-severity vulnerabilities have been discovered in Spring Cloud Config Server.
  • These flaws could lead to arbitrary file access, leakage of Google Cloud Platform (GCP) secrets, and exposure of sensitive data via logging.
  • Organizations utilizing Spring Cloud Config, particularly those with centralized configuration servers or using GCP Secrets Manager, are at risk.
  • Patches are available across multiple Spring Cloud Config versions, and immediate upgrades are strongly recommended.

The Spring Cloud Config Server, a vital component for managing externalized configurations in distributed systems, is currently at the center of a significant cybersecurity alert. The Spring development team has disclosed four security vulnerabilities, ranging from medium to critical severity, that could expose sensitive environments to unauthorized access and data leakage.

Table Of Content

  • Key Takeaways
  • Spring Cloud Vulnerabilities
  • Directory Traversal Vulnerabilities
  • Target GCP Secrets and Git Directories
  • Trace Logging Exposes Sensitive Information
  • What You Should Do

Given that these centralized configuration servers frequently house critical keys and sensitive data for entire microservice architectures, system administrators must prioritize immediate review and patching of their infrastructure.

Spring Cloud Vulnerabilities

Directory Traversal Vulnerabilities

The most critical of the identified issues is CVE-2026-40982, a directory traversal vulnerability that could allow attackers to bypass security restrictions. Spring Cloud Config facilitates the serving of both text and binary files over a network. By crafting a malicious URL, an attacker can exploit this functionality to navigate outside intended directories and access arbitrary files on the host system.

This critical flaw was responsibly identified and reported by security researchers Swapnil Paliwal, the AxiomCode security team, August 829, and rash18mi.

Target GCP Secrets and Git Directories

Two additional high-severity vulnerabilities pose threats to Spring Cloud Config deployments. CVE-2026-40981 specifically impacts organizations that use Google Secrets Manager as a backend for their configuration server. Malicious actors could craft specific requests to the config server, potentially exposing sensitive secrets from unintended Google Cloud Platform projects.

Separately, CVE-2026-41002 introduces a time-of-check-time-of-use (TOCTOU) race condition. This vulnerability targets the server’s base directory used for cloning Git repositories. Threat actors could manipulate files during the repository cloning process, exploiting this race condition to achieve unauthorized changes. Yu Bao from PayPal is credited with discovering and reporting this Git-related vulnerability.

Trace Logging Exposes Sensitive Information

A medium-severity vulnerability, CVE-2026-41004, affects the server’s internal logging mechanisms. When trace logging is enabled, the system inadvertently writes sensitive information, such as credentials or configuration secrets, in plain text directly into log files. This misconfiguration could expose critical data to unauthorized internal users who have read access to system logs.

All four vulnerabilities impact multiple release lines of the Spring Cloud Config ecosystem, specifically versions 3.1.x, 4.1.x, 4.2.x, 4.3.x, and 5.0.x. Older, unsupported versions of the software are also highly susceptible to these exploits. Users are urged to upgrade immediately to secure their environments.

The Spring team has released patched versions across their different support tiers. Open-source users should upgrade their 4.3.x environments to version 4.3.3 and their 5.0.x environments to version 5.0.3. Enterprise support customers have access to dedicated fixes in versions 3.1.14, 4.1.10, and 4.2.7.

For the GCP secrets vulnerability, if immediate patching is not feasible, administrators can implement a temporary workaround. By setting the spring.cloud.config.server.gcp-secret-manager.token-mandatory=true property, the server will require clients to provide a valid token. This token is then verified to ensure the client possesses legitimate access to the requested project secrets.

What You Should Do

  • Immediately Patch: Upgrade Spring Cloud Config Server instances to the latest patched versions: 4.3.3 for 4.3.x environments, 5.0.3 for 5.0.x environments, and enterprise-specific versions 3.1.14, 4.1.10, and 4.2.7.
  • Review Logging Configurations: Disable trace logging in production environments, or ensure sensitive information is not logged in plain text, to mitigate CVE-2026-41004.
  • Implement Workarounds (if patching is delayed): For the GCP secrets vulnerability (CVE-2026-40981), set spring.cloud.config.server.gcp-secret-manager.token-mandatory=true to enforce token-based access verification.
  • Audit Access Controls: Regularly review and restrict access to configuration servers and associated log files, particularly for internal users.
  • Stay Informed: Monitor official Spring security advisories for further updates and recommendations.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchSecurityThreatVulnerability

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

Dirty Frag Linux Vulnerability Let Attackers Gain Root Privileges – PoC Released

Next Post

Mozilla Patches Critical Firefox Vulnerabilities (CVE-2024-XXXX, CVE-2024-XXXX)

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
US Charges Two Bulletproof Hosting Firms for Aiding Cybercrime
July 15, 2026
Critical Dell PowerProtect flaws let attackers gain full system access
July 15, 2026
Microsoft Confirms Dell Laptop Overheating, Shutdowns After July Windows Update
July 15, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Emy Elsamnoudy
Emy Elsamnoudy
Jennifer sherman
Jennifer sherman
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us