CVE-2026-40982 Overview
CVE-2026-40982 is a directory traversal vulnerability [CWE-22] in the spring-cloud-config-server module of Spring Cloud Config. The flaw allows unauthenticated remote attackers to send specially crafted URLs that escape the intended file serving path. Successful exploitation lets attackers read arbitrary text and binary files from the host running the configuration server. Affected branches include 3.1.x, 4.1.x, 4.2.x, 4.3.x, and 5.0.x.
Critical Impact
An unauthenticated network attacker can read arbitrary files from the Spring Cloud Config Server host, exposing application secrets, credentials, and configuration data used across distributed services.
Affected Products
- Spring Cloud Config 3.1.0 through 3.1.13 (fixed in 3.1.14, Enterprise Support Only)
- Spring Cloud Config 4.1.0 through 4.1.9 and 4.2.0 through 4.2.6 (fixed in 4.1.10 and 4.2.7, Enterprise Support Only)
- Spring Cloud Config 4.3.0 through 4.3.2 and 5.0.0 through 5.0.2 (fixed in 4.3.3 and 5.0.3)
Discovery Timeline
- 2026-05-07 - CVE-2026-40982 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-40982
Vulnerability Analysis
Spring Cloud Config Server exposes HTTP endpoints that return configuration files to client applications. The spring-cloud-config-server module serves both text and binary resources stored in a backend repository. The server fails to fully normalize and validate path segments supplied through the request URL. An attacker can therefore craft a request containing traversal sequences that resolve to files outside the configured repository root.
Because the server commonly runs as a centralized configuration broker for microservices, the files reachable through the traversal often include application property files, certificates, and credential stores. Reading these resources can disclose database passwords, API tokens, signing keys, and infrastructure secrets used by every dependent service.
Root Cause
The root cause is improper limitation of a pathname to a restricted directory [CWE-22] in the resource serving handler. User-supplied path components are concatenated with the repository base path without canonicalizing the result and verifying it remains within the allowed root. Sequences such as .. and encoded variants pass through to the underlying file system call.
Attack Vector
Exploitation requires only network access to the config server and no authentication or user interaction. The attacker issues a single HTTP GET request containing a crafted URL that references a label, application name, or profile path with traversal characters. The server resolves the path against the local file system and returns the contents of the targeted file in the HTTP response. Servers exposed to the internet or to untrusted internal networks are directly reachable.
No verified public exploit code is available at this time. Refer to the Spring Security Advisory CVE-2026-40982 for vendor technical detail.
Detection Methods for CVE-2026-40982
Indicators of Compromise
- HTTP requests to Spring Cloud Config Server endpoints containing .., %2e%2e, ..%2f, or other encoded traversal sequences in the path or label parameters.
- Access log entries showing 200 responses for requests targeting unusual file extensions such as .pem, .key, .jks, /etc/passwd, or paths outside the configured repository.
- Outbound connections from the config server host to attacker-controlled infrastructure following anomalous request bursts.
Detection Strategies
- Inspect web server and reverse proxy logs for path traversal patterns reaching /{application}/{profile} and /{label} style endpoints exposed by spring-cloud-config-server.
- Deploy WAF or API gateway rules that decode and normalize URLs before evaluating them against a deny list of traversal sequences.
- Use the Singularity Platform with Storyline technology to correlate suspicious config server requests with downstream process activity and secondary credential use.
Monitoring Recommendations
- Centralize Spring Cloud Config Server access logs into a SIEM such as Singularity Data Lake and alert on traversal signatures and high request rates from single sources.
- Monitor file read events on the config server host for access to sensitive paths outside the Git or filesystem-backed repository directory.
- Track authentication failures and anomalous outbound traffic from any host running spring-cloud-config-server.
How to Mitigate CVE-2026-40982
Immediate Actions Required
- Upgrade to a fixed release immediately: 3.1.14, 4.1.10, 4.2.7, 4.3.3, or 5.0.3 according to the branch in use.
- Restrict network exposure of the config server to trusted application hosts using firewall rules or service mesh policies.
- Rotate any secrets, certificates, or credentials served by the config server that may have been disclosed.
Patch Information
VMware Tanzu has released fixed versions for each affected branch as documented in the Spring Security Advisory CVE-2026-40982. Fixes for 3.1.14, 4.1.10, and 4.2.7 are available through Enterprise Support only. Versions 4.3.3 and 5.0.3 are available through standard distribution channels. Update the spring-cloud-config-server dependency in your build configuration and redeploy all affected instances.
Workarounds
- Place the config server behind an authenticated reverse proxy or API gateway that rejects URLs containing traversal sequences before they reach the application.
- Enforce Spring Security on the config server endpoints and require client authentication for every request.
- Run the config server process under an unprivileged service account with file system permissions restricted to the configuration repository directory.
# Configuration example
# Maven dependency update for the 4.3.x branch
# pom.xml
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-config-server</artifactId>
<version>4.3.3</version>
</dependency>
# Gradle dependency update
implementation 'org.springframework.cloud:spring-cloud-config-server:4.3.3'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
