June 11, 2026

Everything You Need to Know About the Spring Cloud Vulnerability

Rashmi Singh
Senior Security Analyst

CVE-2026-40982 - Everything You Need to Know About the Spring Cloud Vulnerability

Vulnerability: Path Traversal in Spring Cloud Config Server ResourceController

Severity: 9.1 Critical (CVSS v3.1 Base score) CWE-22

Affected Versions: Spring Cloud Config Server 3.1.x through 5.0.x

Authentication Required: None  

First Identified: April 23, 2026  

Fixed In: 3.1.14 / 4.1.10 / 4.2.7 / 4.3.3 / 5.0.3

A path traversal vulnerability in Spring Cloud Config Server’s ResourceController allows an unauthenticated attacker to read arbitrary files from the server’s filesystem with a single HTTP request, no credentials, no user interaction required. The fix for a prior vulnerability (CVE-2026-22739) protected one parameter in one controller. Three others in an adjacent controller received no equivalent check. The gap was found during BAS exploit development for the Hive Pro Exposure Management platform.

This blog covers the following: Vulnerability Description and Details, Vulnerability Timeline, Risk, Attack Vector, Threat and Exploit, Business Impact, and Recommendation.


Responsible Disclosure

1. Vulnerability Description and Details

What is Spring Cloud Config Server?

Spring Cloud Config Server is the centralized configuration and secret distribution layer for microservice environments built on the Spring framework. When any microservice starts up, it connects to Config Server and asks for its runtime configuration: database password, cloud provider credentials, JWT signing keys, API tokens, feature flags. Config Server pulls all of it from a Git repository and distributes it over HTTP.

This makes it one of the highest-value targets in any Spring-based infrastructure. Compromise Config Server and you do not need to break into individual services you get the keys to all of them at once.

How widely is it used? 

Spring Boot, the foundation on which Spring Cloud Config Server runs, is used by over 71,000 companies globally. Any organisation running Spring Boot-based microservices at scale is a potential Spring Cloud Config Server user. More than 60% of Java developers use Spring as their primary framework, and it dominates enterprise Java banking, healthcare, insurance, government, e-commerce. Config Server is a default component in any microservices deployment on this stack. When a flaw lands here, the blast radius is wide.


Local, cloud, or both all deployments are at risk

Config Server is deployed in two common configurations, and both carry exposure:

What is the vulnerability?

CVE-2026-40982 is a path traversal flaw in ResourceController, one of three request handlers inside Spring Cloud Config Server that accept user-controlled URL inputs. The server uses four path variables to serve configuration files: name, profile, label, and path.

The fix for CVE-2026-22739 added a traversal check to the profile variable in EnvironmentController. That same variable also flows through ResourceController, and the three remaining variables name, label, and path received no protection at all. An attacker sends a crafted GET request with a traversal sequence in any of those three variables. The controller passes it through. The server returns the file.

Officially, this is CWE-22 Path Traversal. Under OWASP it maps to A01:2021-Broken Access Control (accessing files outside the intended boundary) and A05:2021-Security Misconfiguration (the same protection applied to one controller, never the others). Both matter when making the case for patching to leadership or an auditor.

Attribute Details
CVE ID CVE-2026-40982
CVSS v3.1 Score 9.8 Critical
CWE CWE-22 Improper Limitation of a Pathname to a Restricted Directory
OWASP A01:2021 Broken Access Control / A05:2021 Security Misconfiguration
Authentication Required None
User Interaction Required None
Access Vector Network
Disclosure Responsibly disclosed — patched before public release

Affected Versions

Branch Vulnerable Fixed In Support Type
3.1.x All < 3.1.14 3.1.14 Enterprise Support
4.1.x All < 4.1.10 4.1.10 Enterprise Support
4.2.x All < 4.2.7 4.2.7 Enterprise Support
4.3.x All < 4.3.3 4.3.3 Open Source
5.0.x All < 5.0.3 5.0.3 Open Source

1. Vulnerability Timeline

Spring Cloud Config Server has a seven-year documented history of path traversal vulnerabilities in the same module. The pattern is consistent across all of them: a flaw is reported, the fix is applied to the specific parameter that was flagged, and the adjacent parameters are left untouched. The next researcher finds one of those gaps and the cycle repeats.

Year CVE What happened Exploited in the wild?
2019 CVE-2019-3799 Path traversal via the path parameter. Check placed at the repository layer, not the controller. Yes. Public proof-of-concept circulated widely.
2020 CVE-2020-5405 Bypass of the 2019 fix. Validation moved to the controller but only for the reported parameter. Yes. Listed on CISA KEV.
2020 CVE-2020-5410 Bypass of 2020 fix. Same class, different slot left unchecked. Yes. CISA KEV listed. Actively exploited in production.
2022 CVE-2022-22947 (Spring Cloud Gateway) Code injection via unsanitised route configuration. Full remote code execution with no authentication. Single HTTP request. Yes. CISA KEV with 21-day mandatory remediation. North Korean state-sponsored actors confirmed interest. Metasploit module published.
2022 CVE-2022-22963 (Spring Cloud Function) Remote code execution via malicious HTTP header. Public PoC within 24 hours. Used to deploy cryptominers and remote access tools. Yes. Mass exploitation globally within days of disclosure.
2026 CVE-2026-22739 Path traversal and SSRF in EnvironmentController via the profile parameter. Fixed for that one slot only. Not confirmed. Patched after responsible disclosure.
2026 CVE-2026-40982 Three unprotected path variables in ResourceController. Same module, same attack class. Found during BAS development at HivePro. Fixed before public disclosure. No known exploitation.

2. Risk, Attack Vector, Threat, and Exploit

⚠️  Note: This vulnerability has the highest impact on deployments running Spring Cloud Config Server with a custom ResourceRepository implementation. In default setups, a fallback check inside the built-in repository may catch the traversal. With a custom repository, that safety net does not exist; a single unauthenticated request reads the file directly.

How easy is this to exploit?

Very easy. There is no exploit chain, no specialised tooling, no insider access needed. This is a single crafted HTTP GET request.

  • No credentials no username, password, token, or API key of any kind
  • No user interaction no employee needs to click anything or make any mistake
  • No special tools curl, a browser, Burp Suite any standard HTTP client works
  • Network access only if the endpoint is reachable, the attack works, including from inside the corporate network
The above applies fully to deployments running a custom ResourceRepository. On default installations, a fallback check may intercept the traversal at the repository layer  however the controller still passes the request through unchecked.

Attack Details

#1  Initial access via network reach. Attacker identifies a reachable Spring Cloud Config Server endpoint. In cloud environments, misconfigured security groups have left Config Server directly internet-exposed. In internal environments, any foothold on the network is sufficient. No authentication prompt is present.

#2  One crafted web request. The attacker sends a GET request to the Config Server URL with a manipulated path variable. The variable contains a traversal sequence that tells the server to go up and outside the intended directory. The server processes it without objecting.

#3  The server does not check. The three unprotected path variables name, label, and path reach the file repository with no validation at the controller layer. The prior fix only covered the profile. Everything else passes straight through. If you are running a custom repository backend, there is no fallback check either. The file is returned.

#4  Controller passes. Repository receives. File returned. The controller lets the request through. In a default installation, the built-in GenericResourceRepository has its own isInvalidPath() check that catches the traversal before a file is read. But organisations running custom ResourceRepository implementations of a documented and common pattern have no such check. The request reaches the custom repository, the file is located and returned, with HTTP 200. No errors. No alert.

Parameter Protection in 5.0.2 Observed HTTP response What it means
name Normalised, not validated 404 The controller accepted it. The repository went looking.
label Normalised, not validated 404 The controller accepted it. The repository went looking.
profile Validated (CVE-2026-22739 fix) 400 Rejected at controller. Fix working.
path Nothing at all 404 The controller accepted it. Went straight to the repository.

3. Business Impact

What an attacker can do with a Config Server file read

Config Server is not one application. It is the master keyring for the entire service mesh. A single file read on a Config Server host typically yields enough material to pivot into every downstream system. The attacker does not need to chain additional exploits. The credentials are already there, in plaintext, in the config files.

How a real incident unfolds

#1  An attacker identifies your Config Server endpoint either through internet scanning (cloud deployment) or from a foothold inside your network (internal deployment). No login page. No authentication. The endpoint accepts requests.

#2  A crafted GET request is sent. Within seconds, the server returns a configuration file. That file contains your database connection string. Another request returns your cloud provider API key. A third returns your JWT signing secret.

#3  The attacker now has the database password. Every record your application touches is accessible. Customer names, emails, financial transactions, national IDs, healthcare records whatever your databases hold. The breach has already happened at this point. The attacker has not touched the database directly yet, but the credential to do so is in their hands.

#4  The cloud provider key is used to access object storage. Backups, documents, logs, archived data all of it is now reachable. The attacker can read, copy, or delete without triggering application-layer alerts.

#5  The JWT signing key is used to forge authentication tokens. The attacker can now impersonate any user in the system including administrators without knowing a single password and without triggering any failed-login alerts. From the application’s perspective, every forged session looks legitimate.

Confidential data at risk

Credential exposed Immediate capability
Database passwords Full read/write/delete access to every connected database
Cloud provider keys (AWS/Azure/GCP) Storage access, compute control, backup exfiltration, lateral cloud movement
JWT signing keys Forge valid login sessions for any user or admin without knowing their password
Internal API credentials Access third-party integrations, payment systems, partner APIs
Feature flags and app config Map internal architecture, disable security controls, manipulate app behaviour silently

Regulatory and legal exposure

Depending on where you operate and what data was accessible:

  • GDPR: Notification to supervisory authorities within 72 hours. Fines up to €20 million or 4% of global annual turnover.
  • HIPAA: Mandatory notification to affected individuals and the US Department of Health and Human Services.
  • PCI-DSS: Incident response obligations, potential suspension of card processing, mandatory forensic investigation.
  • SOC 2 / ISO 27001: An unpatched critical CVE is a material finding in audit and certification reviews.

4. Recommendation

  1. Patch immediately. Upgrade to the fixed version for your branch. The patched releases harden all three controllers EnvironmentController, ResourceController, and EncryptionController and add normalize(path) before the repository call. All four path variables are now validated. This is a complete fix, not a partial one.
Branch Upgrade to Support Type
3.1.x 3.1.14 Enterprise Support
4.1.x 4.1.10 Enterprise Support
4.2.x 4.2.7 Enterprise Support
4.3.x 4.3.3 Open Source
5.0.x 5.0.3 Open Source
  1. Audit custom ResourceRepository implementations. If your organisation has built a custom ResourceRepository, a supported and common pattern for non-Git config backends, upgrading the framework version protects the controller layer but does not add isInvalidPath() to your custom repository. Verify your implementation includes path validation before any user-supplied input reaches file-serving logic.
  2. Check network exposure now, regardless of patch status. Config Server must not be reachable from untrusted networks under any circumstances. Verify firewall rules, security groups, and load balancer configuration. If the endpoint is internet-accessible without authentication, isolate it immediately.
  3. If patching is delayed, apply temporary controls. Block external access at the firewall layer. Require authentication at the API gateway before any request reaches Config Server. Monitor request logs for traversal patterns look for .. sequences or underscore-encoded characters ((_)) in path variables. These are stopgaps only. They reduce exposure but do not fix the vulnerability.

Recommendation for Hive Pro exposure management platform customers:

  1. Scan your infrastructure and cloud environment for springcloud vulnerabilities using Hive Pro network scanners or even 3rd party scanners like Tenable, Qualys or Rapid7 
  2. Validate the attack feasibility by running a BAS simulation using the Hive Pro platform. Check and validate whether the attack is possible given the existing security controls, network architecture and placement, etc. 
  3. If the attack is possible instantly reduce the risk by pushing the IOCs and SIGMA rules to EDR and SIEM for early detection of the attack to reduce the exposure 
  4. Block external access at the firewall layer. Require authentication at the API gateway before any request reaches Config Server.

How It Was Found

This came out of routine BAS (Breach and Attack Simulation) development work on the HivePro Exposure Management platform. While building a simulation test for CVE-2026-22739, the CVE history of spring-cloud-config-server was the natural first thing to review.

The CVE history told the story clearly: four vulnerabilities, same defect class, fixed one parameter at a time, seven years running. Each fix closed what was reported and left everything else open. The fix for CVE-2026-22739 added a check to the profile parameter in EnvironmentController. That same parameter also flows through ResourceController with no equivalent check. 

Focus shifted to the three remaining unprotected path variables on ResourceController name, label, and path and to EncryptionController, which the fix had not touched at all. Traversal payloads were sent through each slot. Three returned HTTP 404 the controller accepted them and passed them to the repository. One returned HTTP 400 the fix working as intended on profile.

The finding was reported to the Spring team via GitHub Security Advisories ( The Spring Cloud maintainers acknowledged it within 14 hours and assigned it for triage. CVE-2026-40982 was published on May 6, 2026, alongside fixes for all five affected branches.

Date Event
2026-04-22 CVE-2026-22739 reproduced on an unpatched baseline. HTTP 400 confirmed as expected rejection.
2026-04-23 ResourceController.retrieve() reviewed. name, label, and path slots tested. HTTP 404 on all three.
2026-04-23 Security advisory filed via GitHub Security Advisories. Acknowledged by the Spring Cloud maintainers within 14 hours.
2026-05-06 CVE-2026-40982 published. Fixes released across all affected branches simultaneously.

The Bigger Picture

Seven years. Five CVEs. The same module. Every fix was correct but too narrow scoped to what was reported, not what was exposed. That is the pattern this discovery followed, and it is a pattern worth internalising: when you patch a vulnerability, ask what else in the same code path shares the same attack surface.The Spring team responded promptly and fixed the full surface in 5.0.3 and 4.3.3. The patches are available across all branches.

----

Recent Resources

Dive into our library of resources for expert insights, guides, and in-depth analysis on maximizing Uni5 Xposure’s capabilities
Cybersecurity visualization showing a breached shield with the Chrome logo, representing zero-day vulnerability exploits targeting enterprise browsers

Chrome Zero Day Vulnerability: Risks and Enterprise Protection

Schedule a free exposure assessment. Learn how chrome zero day vulnerability exploits like CVE-2026-5281 and CVE-2026-11645 impact enterprise security and...
Read More
MITRE D3FEND Matrix and cybersecurity defense visualization

MITRE D3FEND Framework: Complete Defensive Security Guide

Schedule a free demo of the Uni5 Xposure platform. Learn how the MITRE D3FEND framework complements ATT&CK to validate and secure your cybersecurity posture.
Read More
Security analyst comparing Mandiant vs Hive Pro exposure management approaches

Mandiant vs Hive Pro: A CTEM Comparison Guide

Request a Mandiant vs Hive Pro comparison. See how exposure visibility, threat-based prioritization, BAS validation, and remediation workflows differ.
Read More
Continuous exposure management dashboard supporting SOC 2 cybersecurity

SOC 2 Cybersecurity With Continuous Exposure Management

Request a demo to strengthen SOC 2 cybersecurity with continuous exposure management, prioritized remediation, and audit-ready evidence.
Read More
Connected signals in a Gartner exposure assessment platform

Gartner Exposure Assessment Platforms: Buyer Guide

Request a Uni5 demo to see how Gartner exposure assessment platforms help teams prioritize, validate, and remediate consequential exposures.
Read More
A secure futuristic server room with holographic security shields defending against red digital chains of encryption malware

Ransomware Incident Response Playbook for Security Teams

Request a free threat exposure assessment. Get the ransomware incident response playbook security teams need to isolate attacks and restore operations.
Read More