Sensitive Information Exposure in Spring Cloud Config Server
CVE-2026-41004

4.4MEDIUM

Key Information:

Vendor: Spring
Status: Spring Cloud Config
Vendor: CVE Published:; 7 May 2026

What is CVE-2026-41004?

When trace logging is enabled in Spring Cloud Config Server, it can inadvertently log sensitive information in plain text, compromising the security of applications that rely on this server for configuration. Multiple versions of Spring Cloud Config are affected, making it essential for users to upgrade to the latest versions to mitigate this exposure risk.

Affected Version(s)

Spring Cloud Config 3.1.0 < 3.1.14

Spring Cloud Config 4.1.0 < 4.1.10

Spring Cloud Config 4.2.0 < 4.2.7

References

https://spring.io/security/cve-2026-41004

CVSS V3.1

Score:

4.4

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 7, 2026
Vulnerability Reserved
Apr 16, 2026

CVE-2026-41004 Data

JSON