Vulnerability in Spring Cloud Config Server Affects File System Security
CVE-2026-22739

8.6HIGH

Key Information:

Vendor: Spring
Status: Spring Cloud
Vendor: CVE Published:; 24 March 2026

What is CVE-2026-22739?

The vulnerability in Spring Cloud enables attackers to manipulate the profile parameter sent to the Spring Cloud Config Server. This misconfiguration allows unauthorized access to files located outside the designated search directories, potentially exposing sensitive data. The issue affects multiple versions of Spring Cloud, making it critical for users to update their systems to safeguard against this security flaw.

Affected Version(s)

Spring Cloud 3.1.x < 3.1.13

Spring Cloud 4.1.x < 4.1.9

Spring Cloud 4.2.x < 4.2.3

References

https://spring.io/security/cve-2026-22739

EPSS Score

11% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 24, 2026
Vulnerability Reserved
Jan 9, 2026

CVE-2026-22739 Data

JSON