TOCTOU Vulnerability in Spring Cloud Config Server by VMware
CVE-2026-41002

7.4HIGH

Key Information:

Vendor: Spring
Status: Spring Cloud Config
Vendor: CVE Published:; 7 May 2026

What is CVE-2026-41002?

The Spring Cloud Config Server has a vulnerability that allows for a time-of-check-time-of-use (TOCTOU) attack due to the insecure handling of the base directory (spring.cloud.config.server.git.basedir) for cloning Git repositories. This can lead to unauthorized access or manipulation of repository data. Users are advised to upgrade to the fixed versions: 3.1.14 or greater for the 3.1.x series, 4.1.10 or greater for the 4.1.x series, 4.2.7 or greater for the 4.2.x series, and 4.3.3 or greater for the 4.3.x series, as well as 5.0.3 or greater for the 5.0.x series, to mitigate potential risks.

Affected Version(s)

Spring Cloud Config 3.1.0 < 3.1.14

Spring Cloud Config 4.1.0 < 4.1.10

Spring Cloud Config 4.2.0 < 4.2.7

References

https://spring.io/security/cve-2026-41002

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 7, 2026
Vulnerability Reserved
Apr 16, 2026

CVE-2026-41002 Data

JSON