Introduction
A race condition in Spring Cloud Config Server's Git repository cloning mechanism allows a locally privileged attacker to manipulate the filesystem directory used for configuration storage, potentially exposing or tampering with sensitive configuration data distributed to downstream microservices. The vulnerability, tracked as CVE-2026-41002, carries a CVSS score of 7.2 (High) and affects five active release trains, with a remediation path that varies depending on whether an organization holds VMware Enterprise Support.
Spring Cloud Config Server is a central configuration management component in the Spring Cloud ecosystem, widely used to externalize and distribute configuration across microservices deployments. It integrates with Git repositories to serve versioned configuration properties to client applications at runtime.
Technical Information
CVE-2026-41002 is classified under CWE-367: Time of Check Time of Use (TOCTOU) Race Condition. The vulnerability is located in the handling of the spring.cloud.config.server.git.basedir configuration property. This property defines the local filesystem directory where Spring Cloud Config Server clones Git repositories that contain application configuration.
The fundamental issue is that the server checks the state of this base directory and then uses it in a subsequent, non-atomic operation. This temporal gap between the check and the use creates a window during which an attacker can alter the directory's state on the filesystem. By substituting the directory (for example, via a symlink swap or directory replacement) between the check and the use, an attacker could redirect the Config Server to interact with an attacker-controlled location.
CVSS Vector Analysis
The full CVSS v3.1 vector is AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N. The individual components tell us quite a bit about the exploitation constraints and impact:
- Attack Vector (Local): The attacker must have local access to the system running the Config Server. This is not remotely exploitable.
- Attack Complexity (High): Successfully exploiting the race condition requires precise timing to manipulate the directory during the narrow window between the check and the use.
- Privileges Required (High): The attacker needs elevated privileges on the local system, which significantly narrows the pool of potential attackers.
- User Interaction (None): No action from a legitimate user is required to trigger the vulnerability.
- Scope (Changed): This is the most notable aspect of the scoring. A scope change means the impact extends beyond the vulnerable component (the Config Server process) to affect other components, likely the downstream services consuming configuration from the server.
- Confidentiality and Integrity (High/High): A successful exploit could expose sensitive configuration values (database credentials, API keys, secrets) and allow an attacker to inject or modify configuration data served to client applications.
- Availability (None): The vulnerability does not impact system availability.
The scope change is particularly significant in microservices architectures. If an attacker can manipulate the configuration source, every downstream service that pulls configuration from the compromised Config Server instance could be affected. This makes the vulnerability especially relevant in multi-tenant environments or shared infrastructure where multiple users or processes have local access to the Config Server host.
What We Do Not Know
The available sources do not include proof of concept exploit code, specific details about the vulnerable code path, or a step-by-step exploitation walkthrough. We cannot confirm the exact mechanism (symlink attack, directory replacement, mount manipulation, or another technique) that would be used to exploit the race window.
Affected Systems and Versions
The vulnerability spans five active release trains of Spring Cloud Config:
| Affected Version Range | Fixed Version | Availability |
|---|---|---|
| 3.1.0 through 3.1.13 | 3.1.14 | Enterprise Support Only |
| 4.1.0 through 4.1.9 | 4.1.10 | Enterprise Support Only |
| 4.2.0 through 4.2.6 | 4.2.7 | Enterprise Support Only |
| 4.3.0 through 4.3.2 | 4.3.3 | Open Source |
| 5.0.0 through 5.0.2 | 5.0.3 | Open Source |
Older, unsupported versions are also affected. Organizations running on the 3.1.x, 4.1.x, or 4.2.x branches without an active Enterprise Support agreement must migrate to either the 4.3.x or 5.0.x branch to obtain the fix through the open source channel.
Any deployment that uses the spring.cloud.config.server.git.basedir property (or relies on the default base directory behavior) on a system where multiple users or processes have local access should be considered at risk.
Vendor Security History
The disclosure of CVE-2026-41002 was part of a coordinated batch release on May 6, 2026, in which VMware and the Spring team published fixes for four vulnerabilities in the Spring Cloud Config ecosystem simultaneously:
| CVE | Vulnerability Type | Severity |
|---|---|---|
| CVE-2026-40982 | Path Traversal | Critical (9.1) |
| CVE-2026-41002 | TOCTOU Race Condition | High (7.2) |
| CVE-2026-40981 | Google Secrets Manager Access | High |
| CVE-2026-41004 | Plaintext Sensitive Data in Trace Logs | Medium (4.4) |
The simultaneous release of four security fixes across the same product suggests either a focused security audit of the Spring Cloud Config codebase or a coordinated response to multiple independent reports. Organizations upgrading to address CVE-2026-41002 will also remediate the critical path traversal vulnerability (CVE-2026-40982), which carries a CVSS score of 9.1 and should be prioritized accordingly.
