CVE-2026-41002 Overview
CVE-2026-41002 is a time-of-check-time-of-use (TOCTOU) race condition affecting the Spring Cloud Config Server. The flaw resides in the handling of the spring.cloud.config.server.git.basedir directory used to clone Git repositories. An authenticated local attacker with high privileges can exploit the race window between filesystem checks and subsequent operations to compromise confidentiality and integrity. The issue is tracked under CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition.
Critical Impact
Successful exploitation allows an attacker to manipulate files in the configured base directory, leading to disclosure or tampering of repository content served by the Config Server.
Affected Products
- Spring Cloud Config 3.1.0 through 3.1.13 (Enterprise Support Only)
- Spring Cloud Config 4.1.0 through 4.1.9 and 4.2.0 through 4.2.6 (Enterprise Support Only)
- Spring Cloud Config 4.3.0 through 4.3.2 and 5.0.0 through 5.0.2
Discovery Timeline
- 2026-05-07 - CVE-2026-41002 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-41002
Vulnerability Analysis
The Spring Cloud Config Server clones remote Git repositories into a base directory specified by spring.cloud.config.server.git.basedir. The server validates properties of files or directories at one point in time, then operates on those resources later without re-validating state. An attacker with local access can interleave filesystem operations between the check and the use, redirecting the server to act on attacker-controlled paths.
This class of flaw falls under CWE-367. Because the Config Server typically runs with elevated privileges relative to the configuration data it manages, exploitation produces a scope change. An attacker can affect resources beyond their own privilege boundary, including files read by other tenants or services consuming configuration data.
Root Cause
The root cause is non-atomic handling of filesystem state in the base directory. The Config Server inspects the directory or its contents, then performs Git clone or read operations against the same path. Between those steps, an attacker can replace files, swap symlinks, or alter directory entries to influence the operation that follows.
Attack Vector
Exploitation requires local access and high privileges on the host running the Config Server. The attacker must win a race condition, which raises attack complexity. No user interaction is required. The vulnerability affects confidentiality and integrity of configuration content but does not directly impact availability. See the Spring Security Advisory CVE-2026-41002 for vendor-supplied technical details.
Detection Methods for CVE-2026-41002
Indicators of Compromise
- Unexpected symlinks, hardlinks, or file replacements within the directory referenced by spring.cloud.config.server.git.basedir.
- Git clone operations that resolve to paths outside the intended repository workspace.
- Configuration responses served by the Config Server containing content not present in the upstream Git repository.
Detection Strategies
- Monitor filesystem activity in the Config Server base directory using auditd or equivalent kernel-level auditing for rename, symlink, and unlink syscalls.
- Compare cloned repository contents against the authoritative upstream commit hash to detect tampering.
- Inspect Spring Cloud Config Server logs for repeated clone failures or directory state errors that may indicate race-window probing.
Monitoring Recommendations
- Enable verbose logging on org.springframework.cloud.config.server to capture repository operations.
- Track process activity from non-service accounts that touch the Config Server base directory.
- Alert on creation of symbolic links by users other than the Config Server service account.
How to Mitigate CVE-2026-41002
Immediate Actions Required
- Upgrade Spring Cloud Config to a fixed release: 3.1.14, 4.1.10, 4.2.7, 4.3.3, or 5.0.3 or later.
- Restrict local shell access to hosts running the Config Server to administrators only.
- Ensure the base directory is owned by the Config Server service account with no write access for other local users.
Patch Information
VMware/Spring has released fixed versions across all maintained branches. Spring Cloud Config 3.1.14, 4.1.10, and 4.2.7 are available through Enterprise Support. Spring Cloud Config 4.3.3 and 5.0.3 are available through standard distribution channels. Refer to the Spring Security Advisory CVE-2026-41002 for upgrade guidance.
Workarounds
- Place spring.cloud.config.server.git.basedir on a filesystem accessible only to the Config Server service account, with 0700 permissions on the directory.
- Disable local interactive logins on Config Server hosts to remove the prerequisite local access.
- Run the Config Server inside a dedicated container or namespace that isolates its filesystem from other workloads on the host.
# Configuration example
# Restrict ownership and permissions on the Git base directory
chown spring-config:spring-config /var/lib/spring-cloud-config/repos
chmod 700 /var/lib/spring-cloud-config/repos
# Verify no other users can stage TOCTOU primitives in the directory
find /var/lib/spring-cloud-config/repos -not -user spring-config -print
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
