CVE-2026-40982 — Spring Cloud Config Server: pre-authentication path traversal, CVSS 9.8; all actively-maintained branches affected

CVE-2026-40982 (CWE-22, CVSS 9.8) is a pre-authentication directory traversal in Spring Cloud Config Server — the configuration management backbone of Spring Cloud microservices architectures. The server fails to validate URL path segments before appending them to configured search-location paths; an unauthenticated attacker can craft requests that traverse outside the configuration root to read or write arbitrary files accessible to the server process. Attack complexity is low, no privileges or user interaction required. All actively-maintained branches are affected: 3.1.x, 4.1.x, 4.2.x, 4.3.x, and 5.0.x, plus all unsupported versions. Open-source patches: 4.3.3 and 5.0.3; backported enterprise patches available via HeroDevs NES for older branches. No in-the-wild exploitation confirmed at time of reporting. Three companion CVEs were disclosed in the same batch: CVE-2026-40981 (HIGH, Google Secrets Manager backend flaw), CVE-2026-41002 (HIGH), CVE-2026-41004 (MEDIUM) (Spring.io security advisory, 2026-05-06 · CERT-FR CERTFR-2026-AVI-0543, 2026-05-07 · HeroDevs analysis, 2026-05-08).

Spring Cloud Config is pervasive in Java-based enterprise and government digital-transformation projects across the EU; a compromise of the config server can expose credentials, TLS certificates, database connection strings, and API keys for every connected microservice.