Introduction
A directory traversal flaw in Spring Cloud Config Server allows unauthenticated attackers to read arbitrary files from the underlying host by sending a single crafted HTTP request. Given that Spring Cloud Config typically serves as the centralized configuration backbone for distributed microservice architectures, successful exploitation could expose database credentials, API keys, and internal service configurations across an entire deployment.
Technical Information
CVE-2026-40982 is classified under CWE-22: Improper Limitation of a Pathname to a Restricted Directory, commonly referred to as Path Traversal. The vulnerability resides in the spring-cloud-config-server module, which is designed to serve arbitrary text and binary files to client applications. When serving binary files, the server expects an Accept header of application/octet-stream and can interact with multiple backend types including Git, SVN, and native file systems.
Root Cause
The core issue is insufficient sanitization of file paths in incoming requests. The Config Server exposes endpoints that resolve file paths based on URL parameters. When an attacker includes path traversal sequences in a specially crafted URL, the server resolves the path outside its intended directory structure, granting access to files elsewhere on the filesystem.
CVSS Breakdown
The CVSS v3.1 vector string assigned by VMware is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, resulting in a base score of 9.1 (Critical). Breaking this down:
| Metric | Value | Meaning |
|---|---|---|
| Attack Vector | Network | Exploitable remotely |
| Attack Complexity | Low | No special conditions required |
| Privileges Required | None | No authentication needed |
| User Interaction | None | No victim action required |
| Confidentiality Impact | High | Arbitrary file read |
| Integrity Impact | High | Potential to influence served configurations |
| Availability Impact | None | Service remains operational |
The combination of network accessibility, zero authentication requirements, and low complexity makes this vulnerability particularly dangerous in any environment where the Config Server is reachable from untrusted networks.
Attack Flow
Based on the advisory details, exploitation follows a straightforward pattern:
- The attacker identifies a Spring Cloud Config Server instance, which typically listens on a known port and exposes predictable endpoint patterns.
- The attacker constructs a URL containing path traversal sequences targeting a sensitive file (for example, configuration files containing credentials or system files).
- The attacker sends the crafted request to the Config Server. Depending on the target file type, the request may include an
Accept: application/octet-streamheader for binary content. - The server, failing to properly validate the path, resolves the traversal sequences and returns the contents of the requested file.
- The attacker receives the file contents in the HTTP response, potentially gaining access to secrets, credentials, or other sensitive data managed by the Config Server or stored on the host filesystem.
Because the Config Server often has read access to Git repositories, SVN repositories, or local filesystem directories containing application secrets, the blast radius of this vulnerability extends well beyond the server itself.
Affected Systems and Versions
The following Spring Cloud Config release trains are affected:
| Release Train | Vulnerable Versions | Fixed Version | Availability |
|---|---|---|---|
| 3.1.x | 3.1.0 through 3.1.13 (inclusive) | 3.1.14 | Enterprise Support Only |
| 4.1.x | 4.1.0 through 4.1.9 (inclusive) | 4.1.10 | Enterprise Support Only |
| 4.2.x | 4.2.0 through 4.2.6 (inclusive) | 4.2.7 | Enterprise Support Only |
| 4.3.x | 4.3.0 through 4.3.2 (inclusive) | 4.3.3 | Open Source |
| 5.0.x | 5.0.0 through 5.0.2 (inclusive) | 5.0.3 | Open Source |
Older, unsupported versions of Spring Cloud Config are also affected. Organizations running versions outside these listed trains should assume they are vulnerable and migrate to a supported release immediately.
It is worth noting that fixes for the 3.1.x, 4.1.x, and 4.2.x branches are only available through VMware Tanzu Spring Enterprise Support. Organizations on these older branches without enterprise contracts will need to upgrade to the 4.3.x or 5.0.x trains to obtain the fix through open source channels.
The vendor advisory does not document any configuration workarounds, making version upgrades the only officially supported remediation path.
Vendor Security History
Spring Cloud Config is maintained under the Spring ecosystem, now managed by VMware (a Broadcom division following the November 2023 acquisition). VMware maintains a dedicated security advisory page at spring.io/security and follows a structured disclosure and patching process. The tiered support model, where older branch fixes are gated behind enterprise contracts, is a pattern that has become more pronounced since the Broadcom acquisition. This creates a practical gap for organizations on older open source deployments that need security patches but lack enterprise support agreements.
References
- Spring Security Advisory: CVE-2026-40982
- NVD Entry: CVE-2026-40982
- Spring Cloud Config Documentation
- Spring Cloud Config: Serving Binary Files
- Spring Cloud Config: File System Backend
- VMware Tanzu Spring
- Spring Security Advisories Archive
- Security Next (Japanese): Spring Cloud Config Path Traversal Report
