Critical Spring Bugs Expose Arbitrary Files and GCP Secrets
Key Takeaways Four critical and high-severity vulnerabilities have been discovered in Spring Cloud Config Server. These flaws could lead to arbitrary file access, leakage of Google Cloud Platform...
Key Takeaways
- Four critical and high-severity vulnerabilities have been discovered in Spring Cloud Config Server.
- These flaws could lead to arbitrary file access, leakage of Google Cloud Platform (GCP) secrets, and exposure of sensitive data via logging.
- Organizations utilizing Spring Cloud Config, particularly those with centralized configuration servers or using GCP Secrets Manager, are at risk.
- Patches are available across multiple Spring Cloud Config versions, and immediate upgrades are strongly recommended.
The Spring Cloud Config Server, a vital component for managing externalized configurations in distributed systems, is currently at the center of a significant cybersecurity alert. The Spring development team has disclosed four security vulnerabilities, ranging from medium to critical severity, that could expose sensitive environments to unauthorized access and data leakage.
Table Of Content
Given that these centralized configuration servers frequently house critical keys and sensitive data for entire microservice architectures, system administrators must prioritize immediate review and patching of their infrastructure.
Spring Cloud Vulnerabilities
Directory Traversal Vulnerabilities
The most critical of the identified issues is CVE-2026-40982, a directory traversal vulnerability that could allow attackers to bypass security restrictions. Spring Cloud Config facilitates the serving of both text and binary files over a network. By crafting a malicious URL, an attacker can exploit this functionality to navigate outside intended directories and access arbitrary files on the host system.
This critical flaw was responsibly identified and reported by security researchers Swapnil Paliwal, the AxiomCode security team, August 829, and rash18mi.
Target GCP Secrets and Git Directories
Two additional high-severity vulnerabilities pose threats to Spring Cloud Config deployments. CVE-2026-40981 specifically impacts organizations that use Google Secrets Manager as a backend for their configuration server. Malicious actors could craft specific requests to the config server, potentially exposing sensitive secrets from unintended Google Cloud Platform projects.
Separately, CVE-2026-41002 introduces a time-of-check-time-of-use (TOCTOU) race condition. This vulnerability targets the server’s base directory used for cloning Git repositories. Threat actors could manipulate files during the repository cloning process, exploiting this race condition to achieve unauthorized changes. Yu Bao from PayPal is credited with discovering and reporting this Git-related vulnerability.
Trace Logging Exposes Sensitive Information
A medium-severity vulnerability, CVE-2026-41004, affects the server’s internal logging mechanisms. When trace logging is enabled, the system inadvertently writes sensitive information, such as credentials or configuration secrets, in plain text directly into log files. This misconfiguration could expose critical data to unauthorized internal users who have read access to system logs.
All four vulnerabilities impact multiple release lines of the Spring Cloud Config ecosystem, specifically versions 3.1.x, 4.1.x, 4.2.x, 4.3.x, and 5.0.x. Older, unsupported versions of the software are also highly susceptible to these exploits. Users are urged to upgrade immediately to secure their environments.
The Spring team has released patched versions across their different support tiers. Open-source users should upgrade their 4.3.x environments to version 4.3.3 and their 5.0.x environments to version 5.0.3. Enterprise support customers have access to dedicated fixes in versions 3.1.14, 4.1.10, and 4.2.7.
For the GCP secrets vulnerability, if immediate patching is not feasible, administrators can implement a temporary workaround. By setting the spring.cloud.config.server.gcp-secret-manager.token-mandatory=true property, the server will require clients to provide a valid token. This token is then verified to ensure the client possesses legitimate access to the requested project secrets.
What You Should Do
- Immediately Patch: Upgrade Spring Cloud Config Server instances to the latest patched versions: 4.3.3 for 4.3.x environments, 5.0.3 for 5.0.x environments, and enterprise-specific versions 3.1.14, 4.1.10, and 4.2.7.
- Review Logging Configurations: Disable trace logging in production environments, or ensure sensitive information is not logged in plain text, to mitigate CVE-2026-41004.
- Implement Workarounds (if patching is delayed): For the GCP secrets vulnerability (CVE-2026-40981), set
spring.cloud.config.server.gcp-secret-manager.token-mandatory=trueto enforce token-based access verification. - Audit Access Controls: Regularly review and restrict access to configuration servers and associated log files, particularly for internal users.
- Stay Informed: Monitor official Spring security advisories for further updates and recommendations.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.