Directory Traversal Vulnerability in Spring Cloud Config by Pivotal
CVE-2026-40982

9.1CRITICAL

Key Information:

Vendor: Spring
Status: Spring Cloud Config
Vendor: CVE Published:; 7 May 2026

What is CVE-2026-40982?

The Spring Cloud Config server module has a vulnerability that allows unauthorized users to exploit a directory traversal issue. By sending specially crafted requests, attackers can access arbitrary files on the server, potentially leading to the exposure of sensitive data. This vulnerability affects multiple versions of Spring Cloud Config, and users are strongly advised to upgrade to the patched versions to ensure the security of their applications.

Affected Version(s)

Spring Cloud Config 3.1.0 < 3.1.14

Spring Cloud Config 4.1.0 < 4.1.10

Spring Cloud Config 4.2.0 < 4.2.7

References

https://spring.io/security/cve-2026-40982

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 7, 2026
Vulnerability Reserved
Apr 16, 2026

CVE-2026-40982 Data

JSON