ctipilot.ch

Home · Live brief · Daily brief 2026-05-09

CVE-2026-40982 — Spring Cloud Config Server: pre-authentication path traversal, CVSS 9.8; all actively-maintained branches affected

notable vulnerability discovered 2026-05-09 05:00 UTC

Part of run 2026-05-09-migrated (intel · unknown)

CVE-2026-40982 (CWE-22, CVSS 9.8) is a pre-authentication directory traversal in Spring Cloud Config Server — the configuration management backbone of Spring Cloud microservices architectures. The server fails to validate URL path segments before appending them to configured search-location paths; an unauthenticated attacker can craft requests that traverse outside the configuration root to read or write arbitrary files accessible to the server process. Attack complexity is low, no privileges or user interaction required. All actively-maintained branches are affected: 3.1.x, 4.1.x, 4.2.x, 4.3.x, and 5.0.x, plus all unsupported versions. Open-source patches: 4.3.3 and 5.0.3; backported enterprise patches available via HeroDevs NES for older branches. No in-the-wild exploitation confirmed at time of reporting. Three companion CVEs were disclosed in the same batch: CVE-2026-40981 (HIGH, Google Secrets Manager backend flaw), CVE-2026-41002 (HIGH), CVE-2026-41004 (MEDIUM) (Spring.io security advisory, 2026-05-06 · CERT-FR CERTFR-2026-AVI-0543, 2026-05-07 · HeroDevs analysis, 2026-05-08).

Spring Cloud Config is pervasive in Java-based enterprise and government digital-transformation projects across the EU; a compromise of the config server can expose credentials, TLS certificates, database connection strings, and API keys for every connected microservice.

Action items

  • Identify all Spring Cloud Config Server deployments. The Config Server is frequently deployed as an internal microservice but may be exposed if API gateway routing is misconfigured.
  • Patch to 4.3.3 (for 4.3.x branch) or 5.0.3 (for 5.0.x branch) per Spring.io advisory.
  • Verify that Config Server is not exposed to the internet directly (should only be accessible from services within the same trust zone).
  • Review config repo files for credentials, TLS private keys, and database connection strings; treat them as potentially exposed if the server was internet-accessible.
vulnerabilities pre-auth rce patch-available europe global CVE-2026-40982