Full Report
Spring security advisory (AV26-431)
Analysis Summary
# Vulnerability: Multiple Critical Flaws in Spring Cloud Config
## CVE Details
- **CVE ID:** CVE-2026-40981, CVE-2026-40982, CVE-2026-41002
- **CVSS Score:** Critical (Specific scores not listed in advisory, but categorized as critical updates)
- **CWE:** CWE-22 (Path Traversal), CWE-367 (Time-of-check to time-of-use - TOCTOU)
## Affected Systems
- **Products:** Spring Cloud Config (Server and Clients)
- **Versions:** Multiple versions (Contact vendor for specific legacy version support)
- **Configurations:**
- Systems using Google Secrets Manager for backend storage.
- Servers serving static resources or file-based configurations.
## Vulnerability Description
This advisory addresses three distinct security flaws:
1. **CVE-2026-40981 (Unauthorized Secret Access):** A logic flaw where Spring Cloud Config Clients can bypass project boundaries and access secrets from any project the Config Server has permissions to within Google Secrets Manager.
2. **CVE-2026-40982 (Directory Traversal):** A path traversal vulnerability in `spring-cloud-config-server` allowing attackers to access restricted files on the server's file system by manipulating input paths.
3. **CVE-2026-41002 (TOCTOU Attack):** A race condition (Time-of-check to time-of-use) flaw in the Config Server. An attacker can exploit the window between the validation of a resource and its actual use to perform unauthorized actions.
## Exploitation
- **Status:** Not explicitly reported as exploited in the wild (as of May 7, 2026).
- **Complexity:** Medium to High (TOCTOU requires specific timing; Path Traversal/Secret Access requires network access to the config endpoint).
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Access to sensitive environment secrets, credentials, and local system files).
- **Integrity:** High (Potential to manipulate configuration data via TOCTOU).
- **Availability:** Low to Medium.
## Remediation
### Patches
Users are urged to update to the following versions or newer:
- Spring Cloud Config 4.x users: Update to latest patched minor version.
- Spring Cloud Config 3.x users: Update to latest patched minor version.
*(Note: Refer to hxxps[://]spring[.]io/security for specific version numbers released on May 6, 2026).*
### Workarounds
- **Strict IAM:** For CVE-2026-40981, limit the Config Server's IAM service account permissions in Google Cloud to only the specific projects required.
- **Input Validation:** Implement strict filtering on client-provided application/profile names to mitigate traversal attempts.
- **Network Segregation:** Ensure the Config Server is only accessible via internal trusted networks.
## Detection
- **Indicators of Compromise:** Unusual log entries in Config Server showing path traversal patterns (e.g., `../`, `%2e%2e%2f`).
- **Audit Logs:** Monitor Google Cloud IAM/Secret Manager logs for access requests to secrets belonging to projects not associated with the requesting client.
- **Detection Tools:** Use SAST/DAST scanners updated with the latest Spring security definitions.
## References
- hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/spring-security-advisory-av26-431
- hxxps[://]spring[.]io/security/cve-2026-40981
- hxxps[://]spring[.]io/security/cve-2026-40982
- hxxps[://]spring[.]io/security/cve-2026-41002
- hxxps[://]spring[.]io/security